1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
4576
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637
4638
4639
4640
4641
4642
4643
4644
4645
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
4809
4810
4811
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4955
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965
4966
4967
4968
4969
4970
4971
4972
4973
4974
4975
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
5001
5002
5003
5004
5005
5006
5007
5008
5009
5010
5011
5012
5013
5014
5015
5016
5017
5018
5019
5020
5021
5022
5023
5024
5025
5026
5027
5028
5029
5030
5031
5032
5033
5034
5035
5036
5037
5038
5039
5040
5041
5042
5043
5044
5045
5046
5047
5048
5049
5050
5051
5052
5053
5054
5055
5056
5057
5058
5059
5060
5061
5062
5063
5064
5065
5066
5067
5068
5069
5070
5071
5072
5073
5074
5075
5076
5077
5078
5079
5080
5081
5082
5083
5084
5085
5086
5087
5088
5089
5090
5091
5092
5093
5094
5095
5096
5097
5098
5099
5100
5101
5102
5103
5104
5105
5106
5107
5108
5109
5110
5111
5112
5113
5114
5115
5116
5117
5118
5119
5120
5121
5122
5123
5124
5125
5126
5127
5128
5129
5130
5131
5132
5133
5134
5135
5136
5137
5138
5139
5140
5141
5142
5143
5144
5145
5146
5147
5148
5149
5150
5151
5152
5153
5154
5155
5156
5157
5158
5159
5160
5161
5162
5163
5164
5165
5166
5167
5168
5169
5170
5171
5172
5173
5174
5175
5176
5177
5178
5179
5180
5181
5182
5183
5184
5185
5186
5187
5188
5189
5190
5191
5192
5193
5194
5195
5196
5197
5198
5199
5200
5201
5202
5203
5204
5205
5206
5207
5208
5209
5210
5211
5212
5213
5214
5215
5216
5217
5218
5219
5220
5221
5222
5223
5224
5225
5226
5227
5228
5229
5230
5231
5232
5233
5234
5235
5236
5237
5238
5239
5240
5241
5242
5243
5244
5245
5246
5247
5248
5249
5250
5251
5252
5253
5254
5255
5256
5257
5258
5259
5260
5261
5262
5263
5264
5265
5266
5267
5268
5269
5270
5271
5272
5273
5274
5275
5276
5277
5278
5279
5280
5281
5282
5283
5284
5285
5286
5287
5288
5289
5290
5291
5292
5293
5294
5295
5296
5297
5298
5299
5300
5301
5302
5303
5304
5305
5306
5307
5308
5309
5310
5311
5312
5313
5314
5315
5316
5317
5318
5319
5320
5321
5322
5323
5324
5325
5326
5327
5328
5329
5330
5331
5332
5333
5334
5335
5336
5337
5338
5339
5340
5341
5342
5343
5344
5345
5346
5347
5348
5349
5350
5351
5352
5353
5354
5355
5356
5357
5358
5359
5360
5361
5362
5363
5364
5365
5366
5367
5368
5369
5370
5371
5372
5373
5374
5375
5376
5377
5378
5379
5380
5381
5382
5383
5384
5385
5386
5387
5388
5389
5390
5391
5392
5393
5394
5395
5396
5397
5398
5399
5400
5401
5402
5403
5404
5405
5406
5407
5408
5409
5410
5411
5412
5413
5414
5415
5416
5417
5418
5419
5420
5421
5422
5423
5424
5425
5426
5427
5428
5429
5430
5431
5432
5433
5434
5435
5436
5437
5438
5439
5440
5441
5442
5443
5444
5445
5446
5447
5448
5449
5450
5451
5452
5453
5454
5455
5456
5457
5458
5459
5460
5461
5462
5463
5464
5465
5466
5467
5468
5469
5470
5471
5472
5473
5474
5475
5476
5477
5478
5479
5480
5481
5482
5483
5484
5485
5486
5487
5488
5489
5490
5491
5492
5493
5494
5495
5496
5497
5498
5499
5500
5501
5502
5503
5504
5505
5506
5507
5508
5509
5510
5511
5512
5513
5514
5515
5516
5517
5518
5519
5520
5521
5522
5523
5524
5525
5526
5527
5528
5529
5530
5531
5532
5533
5534
5535
5536
5537
5538
5539
5540
5541
5542
5543
5544
5545
5546
5547
5548
5549
5550
5551
5552
5553
5554
5555
5556
5557
5558
5559
5560
5561
5562
5563
5564
5565
5566
5567
5568
5569
5570
5571
5572
5573
5574
5575
5576
5577
5578
5579
5580
5581
5582
5583
5584
5585
5586
5587
5588
5589
5590
5591
5592
5593
5594
5595
5596
5597
5598
5599
5600
5601
5602
5603
5604
5605
5606
5607
5608
5609
5610
5611
5612
5613
5614
5615
5616
5617
5618
5619
5620
5621
5622
5623
5624
5625
5626
5627
5628
5629
5630
5631
5632
5633
5634
5635
5636
5637
5638
5639
5640
5641
5642
5643
5644
5645
5646
5647
5648
5649
5650
5651
5652
5653
5654
5655
5656
5657
5658
5659
5660
5661
5662
5663
5664
5665
5666
5667
5668
5669
5670
5671
5672
5673
5674
5675
5676
5677
5678
5679
5680
5681
5682
5683
5684
5685
5686
5687
5688
5689
5690
5691
5692
5693
5694
5695
5696
5697
5698
5699
5700
5701
5702
5703
5704
5705
5706
5707
5708
5709
5710
5711
5712
5713
5714
5715
5716
5717
5718
5719
5720
5721
5722
5723
5724
5725
5726
5727
5728
5729
5730
5731
5732
5733
5734
5735
5736
5737
5738
5739
5740
5741
5742
5743
5744
5745
5746
5747
5748
5749
5750
5751
5752
5753
5754
5755
5756
5757
5758
5759
5760
5761
5762
5763
5764
5765
5766
5767
5768
5769
5770
5771
5772
5773
5774
5775
5776
5777
5778
5779
5780
5781
5782
5783
5784
5785
5786
5787
5788
5789
5790
5791
5792
5793
5794
5795
5796
5797
5798
5799
5800
5801
5802
5803
5804
5805
5806
5807
5808
5809
5810
5811
5812
5813
5814
5815
5816
5817
5818
5819
5820
5821
5822
5823
5824
5825
5826
5827
5828
5829
5830
5831
5832
5833
5834
5835
5836
5837
5838
5839
5840
5841
5842
5843
5844
5845
5846
5847
5848
5849
5850
5851
5852
5853
5854
5855
5856
5857
5858
5859
5860
5861
5862
5863
5864
5865
5866
5867
5868
5869
5870
5871
5872
5873
5874
5875
5876
5877
5878
5879
5880
5881
5882
5883
5884
5885
5886
5887
5888
5889
5890
5891
5892
5893
5894
5895
5896
5897
5898
5899
5900
5901
5902
5903
5904
5905
5906
5907
5908
5909
5910
5911
5912
5913
5914
5915
5916
5917
5918
5919
5920
5921
5922
5923
5924
5925
5926
5927
5928
5929
5930
5931
5932
5933
5934
5935
5936
5937
5938
5939
5940
5941
5942
5943
5944
5945
5946
5947
5948
5949
5950
5951
5952
5953
5954
5955
5956
5957
5958
5959
5960
5961
5962
5963
5964
5965
5966
5967
5968
5969
5970
5971
5972
5973
5974
5975
5976
5977
5978
5979
5980
5981
5982
5983
5984
5985
5986
5987
5988
5989
5990
5991
5992
5993
5994
5995
5996
5997
5998
5999
6000
6001
6002
6003
6004
6005
6006
6007
6008
6009
6010
6011
6012
6013
6014
6015
6016
6017
6018
6019
6020
6021
6022
6023
6024
6025
6026
6027
6028
6029
6030
6031
6032
6033
6034
6035
6036
6037
6038
6039
6040
6041
6042
6043
6044
6045
6046
6047
6048
6049
6050
6051
6052
6053
6054
6055
6056
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6069
6070
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6127
6128
6129
6130
6131
6132
6133
6134
6135
6136
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6178
6179
6180
6181
6182
6183
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
6208
6209
6210
6211
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6226
6227
6228
6229
6230
6231
6232
6233
6234
6235
6236
6237
6238
6239
6240
6241
6242
6243
6244
6245
6246
6247
6248
6249
6250
6251
6252
6253
6254
6255
6256
6257
6258
6259
6260
6261
6262
6263
6264
6265
6266
6267
6268
6269
6270
6271
6272
6273
6274
6275
6276
6277
6278
6279
6280
6281
6282
6283
6284
6285
6286
6287
6288
6289
6290
6291
6292
6293
6294
6295
6296
6297
6298
6299
6300
6301
6302
6303
6304
6305
6306
6307
6308
6309
6310
6311
6312
6313
6314
6315
6316
6317
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6344
6345
6346
6347
6348
6349
6350
6351
6352
6353
6354
6355
6356
6357
6358
6359
6360
6361
6362
6363
6364
6365
6366
6367
6368
6369
6370
6371
6372
6373
6374
6375
6376
6377
6378
6379
6380
6381
6382
6383
6384
6385
6386
6387
6388
6389
6390
6391
6392
6393
6394
6395
6396
6397
6398
6399
6400
6401
6402
6403
6404
6405
6406
6407
6408
6409
6410
6411
6412
6413
6414
6415
6416
6417
6418
6419
6420
6421
6422
6423
6424
6425
6426
6427
6428
6429
6430
6431
6432
6433
6434
6435
6436
6437
6438
6439
6440
6441
6442
6443
6444
6445
6446
6447
6448
6449
6450
6451
6452
6453
6454
6455
6456
6457
6458
6459
6460
6461
6462
6463
6464
6465
6466
6467
6468
6469
6470
6471
6472
6473
6474
6475
6476
6477
6478
6479
6480
6481
6482
6483
6484
6485
6486
6487
6488
6489
6490
6491
6492
6493
6494
6495
6496
6497
6498
6499
6500
6501
6502
6503
6504
6505
6506
6507
6508
6509
6510
6511
6512
6513
6514
6515
6516
6517
6518
6519
6520
6521
6522
6523
6524
6525
6526
6527
6528
6529
6530
6531
6532
6533
6534
6535
6536
6537
6538
6539
6540
6541
6542
6543
6544
6545
6546
6547
6548
6549
6550
6551
6552
6553
6554
6555
6556
6557
6558
6559
6560
6561
6562
6563
6564
6565
6566
6567
6568
6569
6570
6571
6572
6573
6574
6575
6576
6577
6578
6579
6580
6581
6582
6583
6584
6585
6586
6587
6588
6589
6590
6591
6592
6593
6594
6595
6596
6597
6598
6599
6600
6601
6602
6603
6604
6605
6606
6607
6608
6609
6610
6611
6612
6613
6614
6615
6616
6617
6618
6619
6620
6621
6622
6623
6624
6625
6626
6627
6628
6629
6630
6631
6632
6633
6634
6635
6636
6637
6638
6639
6640
6641
6642
6643
6644
6645
6646
6647
6648
6649
6650
6651
6652
6653
6654
6655
6656
6657
6658
6659
6660
6661
6662
6663
6664
6665
6666
6667
6668
6669
6670
6671
6672
6673
6674
6675
6676
6677
6678
6679
6680
6681
6682
6683
6684
6685
6686
6687
6688
6689
6690
6691
6692
6693
6694
6695
6696
6697
6698
6699
6700
6701
6702
6703
6704
6705
6706
6707
6708
6709
6710
6711
6712
6713
6714
6715
6716
6717
6718
6719
6720
6721
6722
6723
6724
6725
6726
6727
6728
6729
6730
6731
6732
6733
6734
6735
6736
6737
6738
6739
6740
6741
6742
6743
6744
6745
6746
6747
6748
6749
6750
6751
6752
6753
6754
6755
6756
6757
6758
6759
6760
6761
6762
6763
6764
6765
6766
6767
6768
6769
6770
6771
6772
6773
6774
6775
6776
6777
6778
6779
6780
6781
6782
6783
6784
6785
6786
6787
6788
6789
6790
6791
6792
6793
6794
6795
6796
6797
6798
6799
6800
6801
6802
6803
6804
6805
6806
6807
6808
6809
6810
6811
6812
6813
6814
6815
6816
6817
6818
6819
6820
6821
6822
6823
6824
6825
6826
6827
6828
6829
6830
6831
6832
6833
6834
6835
6836
6837
6838
6839
6840
6841
6842
6843
6844
6845
6846
6847
6848
6849
6850
6851
6852
6853
6854
6855
6856
6857
6858
6859
6860
6861
6862
6863
6864
6865
6866
6867
6868
6869
6870
6871
6872
6873
6874
6875
6876
6877
6878
6879
6880
6881
6882
6883
6884
6885
6886
6887
6888
6889
6890
6891
6892
6893
6894
6895
6896
6897
6898
6899
6900
6901
6902
6903
6904
6905
6906
6907
6908
6909
6910
6911
6912
6913
6914
6915
6916
6917
6918
6919
6920
6921
6922
6923
6924
6925
6926
6927
6928
6929
6930
6931
6932
6933
6934
6935
6936
6937
6938
6939
6940
6941
6942
6943
6944
6945
6946
6947
6948
6949
6950
6951
6952
6953
6954
6955
6956
6957
6958
6959
6960
6961
6962
6963
6964
6965
6966
6967
6968
6969
6970
6971
6972
6973
6974
6975
6976
6977
6978
6979
6980
6981
6982
6983
6984
6985
6986
6987
6988
6989
6990
6991
6992
6993
6994
6995
6996
6997
6998
6999
7000
7001
7002
7003
7004
7005
7006
7007
7008
7009
7010
7011
7012
7013
7014
7015
7016
7017
7018
7019
7020
7021
7022
7023
7024
7025
7026
7027
7028
7029
7030
7031
7032
7033
7034
7035
7036
7037
7038
7039
7040
7041
7042
7043
7044
7045
7046
7047
7048
7049
7050
7051
7052
7053
7054
7055
7056
7057
7058
7059
7060
7061
7062
7063
7064
7065
7066
7067
7068
7069
7070
7071
7072
7073
7074
7075
7076
7077
7078
7079
7080
7081
7082
7083
7084
7085
7086
7087
7088
7089
7090
7091
7092
7093
7094
7095
7096
7097
7098
7099
7100
7101
7102
7103
7104
7105
7106
7107
7108
7109
7110
7111
7112
7113
7114
7115
7116
7117
7118
7119
7120
7121
7122
7123
7124
7125
7126
7127
7128
7129
7130
7131
7132
7133
7134
7135
7136
7137
7138
7139
7140
7141
7142
7143
7144
7145
7146
7147
7148
7149
7150
7151
7152
7153
7154
7155
7156
7157
7158
7159
7160
7161
7162
7163
7164
7165
7166
7167
7168
7169
7170
7171
7172
7173
7174
7175
7176
7177
7178
7179
7180
7181
7182
7183
7184
7185
7186
7187
7188
7189
7190
7191
7192
7193
7194
7195
7196
7197
7198
7199
7200
7201
7202
7203
7204
7205
7206
7207
7208
7209
7210
7211
7212
7213
7214
7215
7216
7217
7218
7219
7220
7221
7222
7223
7224
7225
7226
7227
7228
7229
7230
7231
7232
7233
7234
7235
7236
7237
7238
7239
7240
7241
7242
7243
7244
7245
7246
7247
7248
7249
7250
7251
7252
7253
7254
7255
7256
7257
7258
7259
7260
7261
7262
7263
7264
7265
7266
7267
7268
7269
7270
7271
7272
7273
7274
7275
7276
7277
7278
7279
7280
7281
7282
7283
7284
7285
7286
7287
7288
7289
7290
7291
7292
7293
7294
7295
7296
7297
7298
7299
7300
7301
7302
7303
7304
7305
7306
7307
7308
7309
7310
7311
7312
7313
7314
7315
7316
7317
7318
7319
7320
7321
7322
7323
7324
7325
7326
7327
7328
7329
7330
7331
7332
7333
7334
7335
7336
7337
7338
7339
7340
7341
7342
7343
7344
7345
7346
7347
7348
7349
7350
7351
7352
7353
7354
7355
7356
7357
7358
7359
7360
7361
7362
7363
7364
7365
7366
7367
7368
7369
7370
7371
7372
7373
7374
7375
7376
7377
7378
7379
7380
7381
7382
7383
7384
7385
7386
7387
7388
7389
7390
7391
7392
7393
7394
7395
7396
7397
7398
7399
7400
7401
7402
7403
7404
7405
7406
7407
7408
7409
7410
7411
7412
7413
7414
7415
7416
7417
7418
7419
7420
7421
7422
7423
7424
7425
7426
7427
7428
7429
7430
7431
7432
7433
7434
7435
7436
7437
7438
7439
7440
7441
7442
7443
7444
7445
7446
7447
7448
7449
7450
7451
7452
7453
7454
7455
7456
7457
7458
7459
7460
7461
7462
7463
7464
7465
7466
7467
7468
7469
7470
7471
7472
7473
7474
7475
7476
7477
7478
7479
7480
7481
7482
7483
7484
7485
7486
7487
7488
7489
7490
7491
7492
7493
7494
7495
7496
7497
7498
7499
7500
7501
7502
7503
7504
7505
7506
7507
7508
7509
7510
7511
7512
7513
7514
7515
7516
7517
7518
7519
7520
7521
7522
7523
7524
7525
7526
7527
7528
7529
7530
7531
7532
7533
7534
7535
7536
7537
7538
7539
7540
7541
7542
7543
7544
7545
7546
7547
7548
7549
7550
7551
7552
7553
7554
7555
7556
7557
7558
7559
7560
7561
7562
7563
7564
7565
7566
7567
7568
7569
7570
7571
7572
7573
7574
7575
7576
7577
7578
7579
7580
7581
7582
7583
7584
7585
7586
7587
7588
7589
7590
7591
7592
7593
7594
7595
7596
7597
7598
7599
7600
7601
7602
7603
7604
7605
7606
7607
7608
7609
7610
7611
7612
7613
7614
7615
7616
7617
7618
7619
7620
7621
7622
7623
7624
7625
7626
7627
7628
7629
7630
7631
7632
7633
7634
7635
7636
7637
7638
7639
7640
7641
7642
7643
7644
7645
7646
7647
7648
7649
7650
7651
7652
7653
7654
7655
7656
7657
7658
7659
7660
7661
7662
7663
7664
7665
7666
7667
7668
7669
7670
7671
7672
7673
7674
7675
7676
7677
7678
7679
7680
7681
7682
7683
7684
7685
7686
7687
7688
7689
7690
7691
7692
7693
7694
7695
7696
7697
7698
7699
7700
7701
7702
7703
7704
7705
7706
7707
7708
7709
7710
7711
7712
7713
7714
7715
7716
7717
7718
7719
7720
7721
7722
7723
7724
7725
7726
7727
7728
7729
7730
7731
7732
7733
7734
7735
7736
7737
7738
7739
7740
7741
7742
7743
7744
7745
7746
7747
7748
7749
7750
7751
7752
7753
7754
7755
7756
7757
7758
7759
7760
7761
7762
7763
7764
7765
7766
7767
7768
7769
7770
7771
7772
7773
7774
7775
7776
7777
7778
7779
7780
7781
7782
7783
7784
7785
7786
7787
7788
7789
7790
7791
7792
7793
7794
7795
7796
7797
7798
7799
7800
7801
7802
7803
7804
7805
7806
7807
7808
7809
7810
7811
7812
7813
7814
7815
7816
7817
7818
7819
7820
7821
7822
7823
7824
7825
7826
7827
7828
7829
7830
7831
7832
7833
7834
7835
7836
7837
7838
7839
7840
7841
7842
7843
7844
7845
7846
7847
7848
7849
7850
7851
7852
7853
7854
7855
7856
7857
7858
7859
7860
7861
7862
7863
7864
7865
7866
7867
7868
7869
7870
7871
7872
7873
7874
7875
7876
7877
7878
7879
7880
7881
7882
7883
7884
7885
7886
7887
7888
7889
7890
7891
7892
7893
7894
7895
7896
7897
7898
7899
7900
7901
7902
7903
7904
7905
7906
7907
7908
7909
7910
7911
7912
7913
7914
7915
7916
7917
7918
7919
7920
7921
7922
7923
7924
7925
7926
7927
7928
7929
7930
7931
7932
7933
7934
7935
7936
7937
7938
7939
7940
7941
7942
7943
7944
7945
7946
7947
7948
7949
7950
7951
7952
7953
7954
7955
7956
7957
7958
7959
7960
7961
7962
7963
7964
7965
7966
7967
7968
7969
7970
7971
7972
7973
7974
7975
7976
7977
7978
7979
7980
7981
7982
7983
7984
7985
7986
7987
7988
7989
7990
7991
7992
7993
7994
7995
7996
7997
7998
7999
8000
8001
8002
8003
8004
8005
8006
8007
8008
8009
8010
8011
8012
8013
8014
8015
8016
8017
8018
8019
8020
8021
8022
8023
8024
8025
8026
8027
8028
8029
8030
8031
8032
8033
8034
8035
8036
8037
8038
8039
8040
8041
8042
8043
8044
8045
8046
8047
8048
8049
8050
8051
8052
8053
8054
8055
8056
8057
8058
8059
8060
8061
8062
8063
8064
8065
8066
8067
8068
8069
8070
8071
8072
8073
8074
8075
8076
8077
8078
8079
8080
8081
8082
8083
8084
8085
8086
8087
8088
8089
8090
8091
8092
8093
8094
8095
8096
8097
8098
8099
8100
8101
8102
8103
8104
8105
8106
8107
8108
8109
8110
8111
8112
8113
8114
8115
8116
8117
8118
8119
8120
8121
8122
8123
8124
8125
8126
8127
8128
8129
8130
8131
8132
8133
8134
8135
8136
8137
8138
8139
8140
8141
8142
8143
8144
8145
8146
8147
8148
8149
8150
8151
8152
8153
8154
8155
8156
8157
8158
8159
8160
8161
8162
8163
8164
8165
8166
8167
8168
8169
8170
8171
8172
8173
8174
8175
8176
8177
8178
8179
8180
8181
8182
8183
8184
8185
8186
8187
8188
8189
8190
8191
8192
8193
8194
8195
8196
8197
8198
8199
8200
8201
8202
8203
8204
8205
8206
8207
8208
8209
8210
8211
8212
8213
8214
8215
8216
8217
8218
8219
8220
8221
8222
8223
8224
8225
8226
8227
8228
8229
8230
8231
8232
8233
8234
8235
8236
8237
8238
8239
8240
8241
8242
8243
8244
8245
8246
8247
8248
8249
8250
8251
8252
8253
8254
8255
8256
8257
8258
8259
8260
8261
8262
8263
8264
8265
8266
8267
8268
8269
8270
8271
8272
8273
8274
8275
8276
8277
8278
8279
8280
8281
8282
8283
8284
8285
8286
8287
8288
8289
8290
8291
8292
8293
8294
8295
8296
8297
8298
8299
8300
8301
8302
8303
8304
8305
8306
8307
8308
8309
8310
8311
8312
8313
8314
8315
8316
8317
8318
8319
8320
8321
8322
8323
8324
8325
8326
8327
8328
8329
8330
8331
8332
8333
8334
8335
8336
8337
8338
8339
8340
8341
8342
8343
8344
8345
8346
8347
8348
8349
8350
8351
8352
8353
8354
8355
8356
8357
8358
8359
8360
8361
8362
8363
8364
8365
8366
8367
8368
8369
8370
8371
8372
8373
8374
8375
8376
8377
8378
8379
8380
8381
8382
8383
8384
8385
8386
8387
8388
8389
8390
8391
8392
8393
8394
8395
8396
8397
8398
8399
8400
8401
8402
8403
8404
8405
8406
8407
8408
8409
8410
8411
8412
8413
8414
8415
8416
8417
8418
8419
8420
8421
8422
8423
8424
8425
8426
8427
8428
8429
8430
8431
8432
8433
8434
8435
8436
8437
8438
8439
8440
8441
8442
8443
8444
8445
8446
8447
8448
8449
8450
8451
8452
8453
8454
8455
8456
8457
8458
8459
8460
8461
8462
8463
8464
8465
8466
8467
8468
8469
8470
8471
8472
8473
8474
8475
8476
8477
8478
8479
8480
8481
8482
8483
8484
8485
8486
8487
8488
8489
8490
8491
8492
8493
8494
8495
8496
8497
8498
8499
8500
8501
8502
8503
8504
8505
8506
8507
8508
8509
8510
8511
8512
8513
8514
8515
8516
8517
8518
8519
8520
8521
8522
8523
8524
8525
8526
8527
8528
8529
8530
8531
8532
8533
8534
8535
8536
8537
8538
8539
8540
8541
8542
8543
8544
8545
8546
8547
8548
8549
8550
8551
8552
8553
8554
8555
8556
8557
8558
8559
8560
8561
8562
8563
8564
8565
8566
8567
8568
8569
8570
8571
8572
8573
8574
8575
8576
8577
8578
8579
8580
8581
8582
8583
8584
8585
8586
8587
8588
8589
8590
8591
8592
8593
8594
8595
8596
8597
8598
8599
8600
8601
8602
8603
8604
8605
8606
8607
8608
8609
8610
8611
8612
8613
8614
8615
8616
8617
8618
8619
8620
8621
8622
8623
8624
8625
8626
8627
8628
8629
8630
8631
8632
8633
8634
8635
8636
8637
8638
8639
8640
8641
8642
8643
8644
8645
8646
8647
8648
8649
8650
8651
8652
8653
8654
8655
8656
8657
8658
8659
8660
8661
8662
8663
8664
8665
8666
8667
8668
8669
8670
8671
8672
8673
8674
8675
8676
8677
8678
8679
8680
8681
8682
8683
8684
8685
8686
8687
8688
8689
8690
8691
8692
8693
8694
8695
8696
8697
8698
8699
8700
8701
8702
8703
8704
8705
8706
8707
8708
8709
8710
8711
8712
8713
8714
8715
8716
8717
8718
8719
8720
8721
8722
8723
8724
8725
8726
8727
8728
8729
8730
8731
8732
8733
8734
8735
8736
8737
8738
8739
8740
8741
8742
8743
8744
8745
8746
8747
8748
8749
8750
8751
8752
8753
8754
8755
8756
8757
8758
8759
8760
8761
8762
8763
8764
8765
8766
8767
8768
8769
8770
8771
8772
8773
8774
8775
8776
8777
8778
8779
8780
8781
8782
8783
8784
8785
8786
8787
8788
8789
8790
8791
8792
8793
8794
8795
8796
8797
8798
8799
8800
8801
8802
8803
8804
8805
8806
8807
8808
8809
8810
8811
8812
8813
8814
8815
8816
8817
8818
8819
8820
8821
8822
8823
8824
8825
8826
8827
8828
8829
8830
8831
8832
8833
8834
8835
8836
8837
8838
8839
8840
8841
8842
8843
8844
8845
8846
8847
8848
8849
8850
8851
8852
8853
8854
8855
8856
8857
8858
8859
8860
8861
8862
8863
8864
8865
8866
8867
8868
8869
8870
8871
8872
8873
8874
8875
8876
8877
8878
8879
8880
8881
8882
8883
8884
8885
8886
8887
8888
8889
8890
8891
8892
8893
8894
8895
8896
8897
8898
8899
8900
8901
8902
8903
8904
8905
8906
8907
8908
8909
8910
8911
8912
8913
8914
8915
8916
8917
8918
8919
8920
8921
8922
8923
8924
8925
8926
8927
8928
8929
8930
8931
8932
8933
8934
8935
8936
8937
8938
8939
8940
8941
8942
8943
8944
8945
8946
8947
8948
8949
8950
8951
8952
8953
8954
8955
8956
8957
8958
8959
8960
8961
8962
8963
8964
8965
8966
8967
8968
8969
8970
8971
8972
8973
8974
8975
8976
8977
8978
8979
8980
8981
8982
8983
8984
8985
8986
8987
8988
8989
8990
8991
8992
8993
8994
8995
8996
8997
8998
8999
9000
9001
9002
9003
9004
9005
9006
9007
9008
9009
9010
9011
9012
9013
9014
9015
9016
9017
9018
9019
9020
9021
9022
9023
9024
9025
9026
9027
9028
9029
9030
9031
9032
9033
9034
9035
9036
9037
9038
9039
9040
9041
9042
9043
9044
9045
9046
9047
9048
9049
9050
9051
9052
9053
9054
9055
9056
9057
9058
9059
9060
9061
9062
9063
9064
9065
9066
9067
9068
9069
9070
9071
9072
9073
9074
9075
9076
9077
9078
9079
9080
9081
9082
9083
9084
9085
9086
9087
9088
9089
9090
9091
9092
9093
9094
9095
9096
9097
9098
9099
9100
9101
9102
9103
9104
9105
9106
9107
9108
9109
9110
9111
9112
9113
9114
9115
9116
9117
9118
9119
9120
9121
9122
9123
9124
9125
9126
9127
9128
9129
9130
9131
9132
9133
9134
9135
9136
9137
9138
9139
9140
9141
9142
9143
9144
9145
9146
9147
9148
9149
9150
9151
9152
9153
9154
9155
9156
9157
9158
9159
9160
9161
9162
9163
9164
9165
9166
9167
9168
9169
9170
9171
9172
9173
9174
9175
9176
9177
9178
9179
9180
9181
9182
9183
9184
9185
9186
9187
9188
9189
9190
9191
9192
9193
9194
9195
9196
9197
9198
9199
9200
9201
9202
9203
9204
9205
9206
9207
9208
9209
9210
9211
9212
9213
9214
9215
9216
9217
9218
9219
9220
9221
9222
9223
9224
9225
9226
9227
9228
9229
9230
9231
9232
9233
9234
9235
9236
9237
9238
9239
9240
9241
9242
9243
9244
9245
9246
9247
9248
9249
9250
9251
9252
9253
9254
9255
9256
9257
9258
9259
9260
9261
9262
9263
9264
9265
9266
9267
9268
9269
9270
9271
9272
9273
9274
9275
9276
9277
9278
9279
9280
9281
9282
9283
9284
9285
9286
9287
9288
9289
9290
9291
9292
9293
9294
9295
9296
9297
9298
9299
9300
9301
9302
9303
9304
9305
9306
9307
9308
9309
9310
9311
9312
9313
9314
9315
9316
9317
9318
9319
9320
9321
9322
9323
9324
9325
9326
9327
9328
9329
9330
9331
9332
9333
9334
9335
9336
9337
9338
9339
9340
9341
9342
9343
9344
9345
9346
9347
9348
9349
9350
9351
9352
9353
9354
9355
9356
9357
9358
9359
9360
9361
9362
9363
9364
9365
9366
9367
9368
9369
9370
9371
9372
9373
9374
9375
9376
9377
9378
9379
9380
9381
9382
9383
9384
9385
9386
9387
9388
9389
9390
9391
9392
9393
9394
9395
9396
9397
9398
9399
9400
9401
9402
9403
9404
9405
9406
9407
9408
9409
9410
9411
9412
9413
9414
9415
9416
9417
9418
9419
9420
9421
9422
9423
9424
9425
9426
9427
9428
9429
9430
9431
9432
9433
9434
9435
9436
9437
9438
9439
9440
9441
9442
9443
9444
9445
9446
9447
9448
9449
9450
9451
9452
9453
9454
9455
9456
9457
9458
9459
9460
9461
9462
9463
9464
9465
9466
9467
9468
9469
9470
9471
9472
9473
9474
9475
9476
9477
9478
9479
9480
9481
9482
9483
9484
9485
9486
9487
9488
9489
9490
9491
9492
9493
9494
9495
9496
9497
9498
9499
9500
9501
9502
9503
9504
9505
9506
9507
9508
9509
9510
9511
9512
9513
9514
9515
9516
9517
9518
9519
9520
9521
9522
9523
9524
9525
9526
9527
9528
9529
9530
9531
9532
9533
9534
9535
9536
9537
9538
9539
9540
9541
9542
9543
9544
9545
9546
9547
9548
9549
9550
9551
9552
9553
9554
9555
9556
9557
9558
9559
9560
9561
9562
9563
9564
9565
9566
9567
9568
9569
9570
9571
9572
9573
9574
9575
9576
9577
9578
9579
9580
9581
9582
9583
9584
9585
9586
9587
9588
9589
9590
9591
9592
9593
9594
9595
9596
9597
9598
9599
9600
9601
9602
9603
9604
9605
9606
9607
9608
9609
9610
9611
9612
9613
9614
9615
9616
9617
9618
9619
9620
9621
9622
9623
9624
9625
9626
9627
9628
9629
9630
9631
9632
9633
9634
9635
9636
9637
9638
9639
9640
9641
9642
9643
9644
9645
9646
9647
9648
9649
9650
9651
9652
9653
9654
9655
9656
9657
9658
9659
9660
9661
9662
9663
9664
9665
9666
9667
9668
9669
9670
9671
9672
9673
9674
9675
9676
9677
9678
9679
9680
9681
9682
9683
9684
9685
9686
9687
9688
9689
9690
9691
9692
9693
9694
9695
9696
9697
9698
9699
9700
9701
9702
9703
9704
9705
9706
9707
9708
9709
9710
9711
9712
9713
9714
9715
9716
9717
9718
9719
9720
9721
9722
9723
9724
9725
9726
9727
9728
9729
9730
9731
9732
9733
9734
9735
9736
9737
9738
9739
9740
9741
9742
9743
9744
9745
9746
9747
9748
9749
9750
9751
9752
9753
9754
9755
9756
9757
9758
9759
9760
9761
9762
9763
9764
9765
9766
9767
9768
9769
9770
9771
9772
9773
9774
9775
9776
9777
9778
9779
9780
9781
9782
9783
9784
9785
9786
9787
9788
9789
9790
9791
9792
9793
9794
9795
9796
9797
9798
9799
9800
9801
9802
9803
9804
9805
9806
9807
9808
9809
9810
9811
9812
9813
9814
9815
9816
9817
9818
9819
9820
9821
9822
9823
9824
9825
9826
9827
9828
9829
9830
9831
9832
9833
9834
9835
9836
9837
9838
9839
9840
9841
9842
9843
9844
9845
9846
9847
9848
9849
9850
9851
9852
9853
9854
9855
9856
9857
9858
9859
9860
9861
9862
9863
9864
9865
9866
9867
9868
9869
9870
9871
9872
9873
9874
9875
9876
9877
9878
9879
9880
9881
9882
9883
9884
9885
9886
9887
9888
9889
9890
9891
9892
9893
9894
9895
9896
9897
9898
9899
9900
9901
9902
9903
9904
9905
9906
9907
9908
9909
9910
9911
9912
9913
9914
9915
9916
9917
9918
9919
9920
9921
9922
9923
9924
9925
9926
9927
9928
9929
9930
9931
9932
9933
9934
9935
9936
9937
9938
9939
9940
9941
9942
9943
9944
9945
9946
9947
9948
9949
9950
9951
9952
9953
9954
9955
9956
9957
9958
9959
9960
9961
9962
9963
9964
9965
9966
9967
9968
9969
9970
9971
9972
9973
9974
9975
9976
9977
9978
9979
9980
9981
9982
9983
9984
9985
9986
9987
9988
9989
9990
9991
9992
9993
9994
9995
9996
9997
9998
9999
10000
10001
10002
10003
10004
10005
10006
10007
10008
10009
10010
10011
10012
10013
10014
10015
10016
10017
10018
10019
10020
10021
10022
10023
10024
10025
10026
10027
10028
10029
10030
10031
10032
10033
10034
10035
10036
10037
10038
10039
10040
10041
10042
10043
10044
10045
10046
10047
10048
10049
10050
10051
10052
10053
10054
10055
10056
10057
10058
10059
10060
10061
10062
10063
10064
10065
10066
10067
10068
10069
10070
10071
10072
10073
10074
10075
10076
10077
10078
10079
10080
10081
10082
10083
10084
10085
10086
10087
10088
10089
10090
10091
10092
10093
10094
10095
10096
10097
10098
10099
10100
10101
10102
10103
10104
10105
10106
10107
10108
10109
10110
10111
10112
10113
10114
10115
10116
10117
10118
10119
10120
10121
10122
10123
10124
10125
10126
10127
10128
10129
10130
10131
10132
10133
10134
10135
10136
10137
10138
10139
10140
10141
10142
10143
10144
10145
10146
10147
10148
10149
10150
10151
10152
10153
10154
10155
10156
10157
10158
10159
10160
10161
10162
10163
10164
10165
10166
10167
10168
10169
10170
10171
10172
10173
10174
10175
10176
10177
10178
10179
10180
10181
10182
10183
10184
10185
10186
10187
10188
10189
10190
10191
10192
10193
10194
10195
10196
10197
10198
10199
10200
10201
10202
10203
10204
10205
10206
10207
10208
10209
10210
10211
10212
10213
10214
10215
10216
10217
10218
10219
10220
10221
10222
10223
10224
10225
10226
10227
10228
10229
10230
10231
10232
10233
10234
10235
10236
10237
10238
10239
10240
10241
10242
10243
10244
10245
10246
10247
10248
10249
10250
10251
10252
10253
10254
10255
10256
10257
10258
10259
10260
10261
10262
10263
10264
10265
10266
10267
10268
10269
10270
10271
10272
10273
10274
10275
10276
10277
10278
10279
10280
10281
10282
10283
10284
10285
10286
10287
10288
10289
10290
10291
10292
10293
10294
10295
10296
10297
10298
10299
10300
10301
10302
10303
10304
10305
10306
10307
10308
10309
10310
10311
10312
10313
10314
10315
10316
10317
10318
10319
10320
10321
10322
10323
10324
10325
10326
10327
10328
10329
10330
10331
10332
10333
10334
10335
10336
10337
10338
10339
10340
10341
10342
10343
10344
10345
10346
10347
10348
10349
10350
10351
10352
10353
10354
10355
10356
10357
10358
10359
10360
10361
10362
10363
10364
10365
10366
10367
10368
10369
10370
10371
10372
10373
10374
10375
10376
10377
10378
10379
10380
10381
10382
10383
10384
10385
10386
10387
10388
10389
10390
10391
10392
10393
10394
10395
10396
10397
10398
10399
10400
10401
10402
10403
10404
10405
10406
10407
10408
10409
10410
10411
10412
10413
10414
10415
10416
10417
10418
10419
10420
10421
10422
10423
10424
10425
10426
10427
10428
10429
10430
10431
10432
10433
10434
10435
10436
10437
10438
10439
10440
10441
10442
10443
10444
10445
10446
10447
10448
10449
10450
10451
10452
10453
10454
10455
10456
10457
10458
10459
10460
10461
10462
10463
10464
10465
10466
10467
10468
10469
10470
10471
10472
10473
10474
10475
10476
10477
10478
10479
10480
10481
10482
10483
10484
10485
10486
10487
10488
10489
10490
10491
10492
10493
10494
10495
10496
10497
10498
10499
10500
10501
10502
10503
10504
10505
10506
10507
10508
10509
10510
10511
10512
10513
10514
10515
10516
10517
10518
10519
10520
10521
10522
10523
10524
10525
10526
10527
10528
10529
10530
10531
10532
10533
10534
10535
10536
10537
10538
10539
10540
10541
10542
10543
10544
10545
10546
10547
10548
10549
10550
10551
10552
10553
10554
10555
10556
10557
10558
10559
10560
10561
10562
10563
10564
10565
10566
10567
10568
10569
10570
10571
10572
10573
10574
10575
10576
10577
10578
10579
10580
10581
10582
10583
10584
10585
10586
10587
10588
10589
10590
10591
10592
10593
10594
10595
10596
10597
10598
10599
10600
10601
10602
10603
10604
10605
10606
10607
10608
10609
10610
10611
10612
10613
10614
10615
10616
10617
10618
10619
10620
10621
10622
10623
10624
10625
10626
10627
10628
10629
10630
10631
10632
10633
10634
10635
10636
10637
10638
10639
10640
10641
10642
10643
10644
10645
10646
10647
10648
10649
10650
10651
10652
10653
10654
10655
10656
10657
10658
10659
10660
10661
10662
10663
10664
10665
10666
10667
10668
10669
10670
10671
10672
10673
10674
10675
10676
10677
10678
10679
10680
10681
10682
10683
10684
10685
10686
10687
10688
10689
10690
10691
10692
10693
10694
10695
10696
10697
10698
10699
10700
10701
10702
10703
10704
10705
10706
10707
10708
10709
10710
10711
10712
10713
10714
10715
10716
10717
10718
10719
10720
10721
10722
10723
10724
10725
10726
10727
10728
10729
10730
10731
10732
10733
10734
10735
10736
10737
10738
10739
10740
10741
10742
10743
10744
10745
10746
10747
10748
10749
10750
10751
10752
10753
10754
10755
10756
10757
10758
10759
10760
10761
10762
10763
10764
10765
10766
10767
10768
10769
10770
10771
10772
10773
10774
10775
10776
10777
10778
10779
10780
10781
10782
10783
10784
10785
10786
10787
10788
10789
10790
10791
10792
10793
10794
10795
10796
10797
10798
10799
10800
10801
10802
10803
10804
10805
10806
10807
10808
10809
10810
10811
10812
10813
10814
10815
10816
10817
10818
10819
10820
10821
10822
10823
10824
10825
10826
10827
10828
10829
10830
10831
10832
10833
10834
10835
10836
10837
10838
10839
10840
10841
10842
10843
10844
10845
10846
10847
10848
10849
10850
10851
10852
10853
10854
10855
10856
10857
10858
10859
10860
10861
10862
10863
10864
10865
10866
10867
10868
10869
10870
10871
10872
10873
10874
10875
10876
10877
10878
10879
10880
10881
10882
10883
10884
10885
10886
10887
10888
10889
10890
10891
10892
10893
10894
10895
10896
10897
10898
10899
10900
10901
10902
10903
10904
10905
10906
10907
10908
10909
10910
10911
10912
10913
10914
10915
10916
10917
10918
10919
10920
10921
10922
10923
10924
10925
10926
10927
10928
10929
10930
10931
10932
10933
10934
10935
10936
10937
10938
10939
10940
10941
10942
10943
10944
10945
10946
10947
10948
10949
10950
10951
10952
10953
10954
10955
10956
10957
10958
10959
10960
10961
10962
10963
10964
10965
10966
10967
10968
10969
10970
10971
10972
10973
10974
10975
10976
10977
10978
10979
10980
10981
10982
10983
10984
10985
10986
10987
10988
10989
10990
10991
10992
10993
10994
10995
10996
10997
10998
10999
11000
11001
11002
11003
11004
11005
11006
11007
11008
11009
11010
11011
11012
11013
11014
11015
11016
11017
11018
11019
11020
11021
11022
11023
11024
11025
11026
11027
11028
11029
11030
11031
11032
11033
11034
11035
11036
11037
11038
11039
11040
11041
11042
11043
11044
11045
11046
11047
11048
11049
11050
11051
11052
11053
11054
11055
11056
11057
11058
11059
11060
11061
11062
11063
11064
11065
11066
11067
11068
11069
11070
11071
11072
11073
11074
11075
11076
11077
11078
11079
11080
11081
11082
11083
11084
11085
11086
11087
11088
11089
11090
11091
11092
11093
11094
11095
11096
11097
11098
11099
11100
11101
11102
11103
11104
11105
11106
11107
11108
11109
11110
11111
11112
11113
11114
11115
11116
11117
11118
11119
11120
11121
11122
11123
11124
11125
11126
11127
11128
11129
11130
11131
11132
11133
11134
11135
11136
11137
11138
11139
11140
11141
11142
11143
11144
11145
11146
11147
11148
11149
11150
11151
11152
11153
11154
11155
11156
11157
11158
11159
11160
11161
11162
11163
11164
11165
11166
11167
11168
11169
11170
11171
11172
11173
11174
11175
11176
11177
11178
11179
11180
11181
11182
11183
11184
11185
11186
11187
11188
11189
11190
11191
11192
11193
11194
11195
11196
11197
11198
11199
11200
11201
11202
11203
11204
11205
11206
11207
11208
11209
11210
11211
11212
11213
11214
11215
11216
11217
11218
11219
11220
11221
11222
11223
11224
11225
11226
11227
11228
11229
11230
11231
11232
11233
11234
11235
11236
11237
11238
11239
11240
11241
11242
11243
11244
11245
11246
11247
11248
11249
11250
11251
11252
11253
11254
11255
11256
11257
11258
11259
11260
11261
11262
11263
11264
11265
11266
11267
11268
11269
11270
11271
11272
11273
11274
11275
11276
11277
11278
11279
11280
11281
11282
11283
11284
11285
11286
11287
11288
11289
11290
11291
11292
11293
11294
11295
11296
11297
11298
11299
11300
11301
11302
11303
11304
11305
11306
11307
11308
11309
11310
11311
11312
11313
11314
11315
11316
11317
11318
11319
11320
11321
11322
11323
11324
11325
11326
11327
11328
11329
11330
11331
11332
11333
11334
11335
11336
11337
11338
11339
11340
11341
11342
11343
11344
11345
11346
11347
11348
11349
11350
11351
11352
11353
11354
11355
11356
11357
11358
11359
11360
11361
11362
11363
11364
11365
11366
11367
11368
11369
11370
11371
11372
11373
11374
11375
11376
11377
11378
11379
11380
11381
11382
11383
11384
11385
11386
11387
11388
11389
11390
11391
11392
11393
11394
11395
11396
11397
11398
11399
11400
11401
11402
11403
11404
11405
11406
11407
11408
11409
11410
11411
11412
11413
11414
11415
11416
11417
11418
11419
11420
11421
11422
11423
11424
11425
11426
11427
11428
11429
11430
11431
11432
11433
11434
11435
11436
11437
11438
11439
11440
11441
11442
11443
11444
11445
11446
11447
11448
11449
11450
11451
11452
11453
11454
11455
11456
11457
11458
11459
11460
11461
11462
11463
11464
11465
11466
11467
11468
11469
11470
11471
11472
11473
11474
11475
11476
11477
11478
11479
11480
11481
11482
11483
11484
11485
11486
11487
11488
11489
11490
11491
11492
11493
11494
11495
11496
11497
11498
11499
11500
11501
11502
11503
11504
11505
11506
11507
11508
11509
11510
11511
11512
11513
11514
11515
11516
11517
11518
11519
11520
11521
11522
11523
11524
11525
11526
11527
11528
11529
11530
11531
11532
11533
11534
|
8 September 2023: Wouter
- Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported by Florian
Obser.
25 August 2023: Wouter
- Fix compile error on NetBSD in util/netevent.h.
23 August 2023: Wouter
- Tag for 1.18.0rc1 release.
22 August 2023: Wouter
- Set version number to 1.18.0.
21 August 2023: Wouter
- Debug Windows ci workflow.
- Fix windows ci workflow to install bison and flex.
- Fix for #925: unbound.service: Main process exited, code=killed,
status=11/SEGV. Fixes cachedb configuration handling.
- Fix #923: processQueryResponse() THROWAWAY should be mindful of
fail_reply.
- Fix unit test for unbound-control to work when threads are disabled,
and fix cache dump check.
18 August 2023: Wouter
- Fix for iter_dec_attempts that could cause a hang, part of
capsforid and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
17 August 2023: Wouter
- Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
RFC9018. Create server cookies for clients that send client cookies.
This needs to be explicitly turned on in the config file with:
`answer-cookie: yes`. A `cookie-secret:` can be configured for
anycast setups. Without one, a random cookie secret is generated.
The acl option `allow_cookie` allows queries with either a valid
cookie or over a stateful transport. The statistics output has
`queries_cookie_valid` and `queries_cookie_client` and
`queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
value determines a rate limit for queries with cookies, if desired.
- Fix regional_alloc_init for potential unaligned source of the copy.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
2 August 2023: George
- Move a cache reply callback in worker.c closer to the cache reply
generation.
1 August 2023: George
- Merge #911 from natalie-reece: Exclude EDE before other EDNS options
when there isn't enough space.
- For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
altogether) before giving up on attaching EDE options.
- More braces and formatting for Fix for EDNS EDE size calculation to
avoid future bugs.
- Fix to use the now cached EDE, if any, for CD_bit queries.
1 August 2023: Wouter
- Fix for EDNS EDE size calculation.
31 July 2023: George
- Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
and subnetcache.
31 July 2023: Wouter
- iana portlist update.
30 July 2023: George
- Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
28 July 2023: George
- Fix unused variable compile warning for kernel timestamps in
netevent.c
21 July 2023: George
- Merge #857 from eaglegai: fix potential memory leaks when errors
happen.
- For #857: fix mixed declarations and code.
- Merge #118 from mibere: Changed verbosity level for Redis init &
deinit.
- Merge #390 from Frank Riley: Add missing callbacks to the python
module.
- Cleaner failure code for callback functions in interface.i.
- Merge #889 from borisVanhoof: Free memory in error case + remove
unused function.
- For #889: use netcat-openbsd instead of netcat-traditional.
- For #889: Account for num_detached_states before possible
mesh_state_delete when erroring out.
20 July 2023: George
- Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
CLASSXX representation.
- For #909: Fix return values.
- Merge #901 from Sergei Trofimovich: config: improve handling of
unknown modules.
20 July 2023: Wouter
- For #909: Fix RR class comparison.
14 July 2023: George
- More clear description of the different auth-zone behaviors on the
man page.
13 July 2023: George
- Merge #880 from chipitsine: services/authzone.c: remove redundant
check.
11 July 2023: George
- Merge #664 from tilan7763: Add prefetch support for subnet cache
entries.
- For #664: Easier code flow for subnetcache prefetching.
- For #664: Add testcase.
- For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
differentiate from the new subnet prefetch support.
3 July 2023: George
- Merge #739: Add SVCB dohpath support.
- Code cleanup for sldns_str2wire_svcparam_key_lookup.
- Merge #802: add validation EDEs to queries where the CD bit is set.
- For #802: Cleanup comments and add RCODE check for CD bit test case.
- Skip the 00-lint test. splint is not maintained; it either does not
work or produces false positives. Static analysis is handled in the
clang test.
3 July 2023: Wouter
- Fix #906: warning: ‘Py_SetProgramName’ is deprecated.
- Fix dereference of NULL variable warning in mesh_do_callback.
29 June 2023: George
- More fixes for reference counting for python module and clean up
failure code.
- Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
which causes memory leaks.
29 June 2023: Wouter
- Fix python modules with multiple scripts, by incrementing reference
counts.
27 June 2023: George
- Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
a new statistical counter.
- Remove warning about unknown cast-function-type warning pragma.
22 June 2023: Wouter
- Merge #903: contrib: add yocto compatible init script.
15 June 2023: Philip
- Fix for issue #887 (Timeouts to forward servers on BSD based
system with ASLR)
- Probably fixes #516 (Stream reuse does not work on Windows) as well
14 June 2023: George
- Properly handle all return values of worker_check_request during
early EDE code.
- Do not check the incoming request more than once.
12 June 2023: Wouter
- Merge #896: Fix: #895: pythonmodule: add all site-packages
directories to sys.path.
- Fix #895: python + sysconfig gives ANOTHER path comparing to
distutils.
- Fix for uncertain unit test for doh buffer size events.
25 May 2023: Wouter
- Fix unbound-dnstap-socket printout when no query is present.
- Fix unbound-dnstap-socket time fraction conversion for printout.
19 May 2023: Wouter
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix to remove unused variables from RPZ clientip data structure.
16 May 2023: Wouter
- Fix #888: [FR] Use kernel timestamps for dnstap.
- Fix to print debug log for ancillary data with correct IP address.
11 May 2023: Wouter
- Fix warning in windows compile, in set_recvtimestamp.
4 May 2023: Wouter
- Fix #885: Error: util/configlexer.c: No such file or directory,
adds error messages explaining to install flex and bison.
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
- Fix doxygen in addr_to_nat64 header definition.
1 May 2023: George
- Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
- For #722: minor fixes, formatting, refactoring.
1 May 2023: Wouter
- Fix RPZ IP responses with trigger rpz-drop on cache entries, that
they are dropped.
26 April 2023: Philip
- Fix issue #860: Bad interaction with 0 TTL records and serve-expired
26 April 2023: Wouter
- Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
sock-queue-timeout option that drops packets that have been in the
socket queue for too long. Added statistics num.queries_timed_out
and query.queue_time_us.max that track the socket queue timeouts.
- Fix for #882: small changes, date updated in Copyright for
util/timeval_func.c and util/timeval_func.h. Man page entries and
example entry.
- Fix for #882: document variable to stop doxygen warning.
19 April 2023: Wouter
- Fix for #878: Invalid IP address in unbound.conf causes Segmentation
Fault on OpenBSD.
14 April 2023: Wouter
- Merge #875: change obsolete txt URL in unbound-anchor.c to point
to RFC 7958, and Fix #874.
13 April 2023: Wouter
- Fix build badge, from failing travis link to github ci action link.
6 April 2023: Wouter
- Fix for #870: Add test case for the qname minimisation and CNAME.
4 April 2023: Wouter
- Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
CNAME record.
24 March 2023: Philip
- Fix issue #676: Unencrypted query is sent when
forward-tls-upstream: yes is used without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
either we set up a TLS connection or we return an error.
21 March 2023: Philip
- Fix issue #851: reserved identifier violation
20 March 2023: Wouter
- iana portlist update.
17 March 2023: George
- Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
to ignore the unexpected eof while reading in openssl >= 3.
16 March 2023: Wouter
- Fix ssl.h include brackets, instead of quotes.
14 March 2023: Wouter
- Fix unbound-dnstap-socket test program to reply the finish frame
over a TLS connection correctly.
23 February 2023: Wouter
- Fix for #852: Completion of error handling.
21 February 2023: Philip
- Fix #825: Unexpected behavior with client-subnet-always-forward
and serve-expired
10 February 2023: George
- Clean up iterator/iterator.c::error_response_cache() and allow for
better interaction with serve-expired, prefetch and cached error
responses.
9 February 2023: George
- Allow TTL refresh of expired error responses.
- Add testcase for refreshing expired error responses.
9 February 2023: Wouter
- Fix to ignore entirely empty responses, and try at another authority.
This turns completely empty responses, a type of noerror/nodata into
a servfail, but they do not conform to RFC2308, and the retry can
fetch improved content.
- Fix unit tests for spurious empty messages.
- Fix consistency of unit test without roundrobin answers for the
cnametooptout unit test.
- Fix to git ignore the library symbol file that configure can create.
8 February 2023: Wouter
- Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
30 January 2023: George
- Add duration variable for speed_local.test.
26 January 2023: Wouter
- Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
23 January 2023: George
- Fix #833: [FR] Ability to set the Redis password.
23 January 2023: Wouter
- Fix #835: [FR] Ability to use Redis unix sockets.
20 January 2023: Wouter
- Merge #819: Added new static zone type block_a to suppress all A
queries for specific zones.
19 January 2023: Wouter
- Set max-udp-size default to 1232. This is the same default value as
the default value for edns-buffer-size. It restricts client edns
buffer size choices, and makes unbound behave similar to other DNS
resolvers. The new choice, down from 4096 means it is harder to get
large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
Tsinghua University.
- Add harden-unknown-additional option. It removes
unknown records from the authority section and additional section.
Thanks to Xiang Li, from NISL Lab, Tsinghua University.
- Set default for harden-unknown-additional to no. So that it does
not hamper future protocol developments.
- Fix test for new default.
18 January 2023: Wouter
- Fix not following cleared RD flags potentially enables amplification
DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab,
Tsinghua University. The fix stops query loops, by refusing to send
RD=0 queries to a forwarder, they still get answered from cache.
13 January 2023: Wouter
- Merge #826: Аdd a metric about the maximum number of collisions in
lrushah.
- Improve documentation for #826, describe the large collisions amount.
9 January 2023: Wouter
- Fix python module install path detection.
- Fix python version detection in configure.
6 January 2023: Wouter
- Fix #823: Response change to NODATA for some ANY queries since
1.12, tested on 1.16.1.
- Fix wildcard in hyperlocal zone service degradation, reported
by Sergey Kacheev. This fix is included in 1.17.1rc2.
That became 1.17.1 on 12 Jan 2023, the code repo continues
with 1.17.2. 1.17.1 excludes fix #823, it is included forwards.
5 January 2023: Wouter
- Tag for 1.17.1 release.
2 January 2023: Wouter
- Fix windows compile for libunbound subprocess reap comm point closes.
- Update github workflows to use checkout v3.
14 December 2022: George
- Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
13 December 2022: George
- Expose 'statistics-inhibit-zero' as a configuration option; the
default value retains Unbound's behavior.
- Expose 'max-sent-count' as a configuration option; the
default value retains Unbound's behavior.
- Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
13 December 2022: Wouter
- Merge #808: Wrap Makefile script's directory variables in quotes.
- Fix to wrap Makefile scripts directory in quotes for uninstall.
1 December 2022: Wouter
- Fix #773: When used with systemd-networkd, unbound does not start
until systemd-networkd-wait-online.service times out.
30 November 2022: George
- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
- Clear documentation for interactivity between the subnet module and
the serve-expired and prefetch configuration options.
30 November 2022: Wouter
- Fix #782: Segmentation fault in stats.c:404.
28 November 2022: Wouter
- Fix for the ignore of tcp events for closed comm points, preserve
the use after free protection features.
23 November 2022: Philip
- Merge #720 from jonathangray: fix use after free when
WSACreateEvent() fails.
22 November 2022: George
- Ignore expired error responses.
11 November 2022: Wouter
- Fix #779: [doc] Missing documention in ub_resolve_event() for
callback parameter was_ratelimited.
9 November 2022: George
- Complementary fix for distutils.sysconfig deprecation in Python 3.10
to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
8 November 2022: Wouter
- Fix to ignore tcp events for closed comm points.
- Fix to make sure to not read again after a tcp comm point is closed.
- Fix #775: libunbound: subprocess reap causes parent process reap
to hang.
- iana portlist update.
21 October 2022: George
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
21 October 2022: Wouter
- Fix that cachedb does not store failures in the external cache.
18 October 2022: George
- Clarify the use of MAX_SENT_COUNT in the iterator code.
17 October 2022: Wouter
- testcode/dohclient sets log identity to its name.
14 October 2022: Wouter
- Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
extension.
- In unit test, print python script name list correctly.
13 October 2022: Wouter
- Tag for 1.17.0 release. The code repository continues with 1.17.1.
11 October 2022: George
- Fix PROXYv2 header read for TCP connections when no proxied addresses
are provided.
7 October 2022: Wouter
- Tag for 1.17.0rc1 release.
7 October 2022: George
- Fix to stop possible loops in the tcp reuse code (write_wait list
and tcp_wait list). Based on analysis and patch from Prad Seniappan
and Karthik Umashankar.
- Fix unit test to properly test the reuse_write_wait_pop function.
6 October 2022: Wouter
- Fix to stop responses with TC flag from resulting in partial
responses. It retries to fetch the data elsewhere, or fails the
query and in depth fix removes the TC flag from the cached item.
- Fix proxy length debug output printout typecasts.
5 October 2022: Wouter
- Fix dnscrypt compile for proxy protocol code changes.
5 October 2022: George
- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
- Fix string comparison in mini_tdir.sh.
- Make ede.tdir test more predictable by using static data.
- Fix checkconf test for dnscrypt and proxy port.
4 October 2022: George
- Merge #764: Leniency for target discovery when under load (for
NRDelegation changes).
4 October 2022: Wouter
- Fix static analysis report to remove dead code from the
rpz_callback_from_iterator_module function.
- Fix to clean up after the acl_interface unit test.
3 October 2022: George
- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
configuration option).
3 October 2022: Wouter
- Fix to remove erroneous TC flag from TCP upstream.
- Fix test tdir skip report printout.
- Fix windows compile, the identifier interface is defined in headers.
- Fix to close errno block in comm_point_tcp_handle_read outside of
ifdef.
26 September 2022: George
- Better output for skipped tdir tests.
21 September 2022: Wouter
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
- This patch was released in 1.16.3, the code repository continues
with the previous features and fixes for 1.17.0.
- Fix doxygen warning in respip.h.
20 September 2022: George
- Convert tdir tests to use the new skip_test functionality.
- Remove unused testcode/mini_tpkg.sh file.
16 September 2022: George
- Merge #753: ACL per interface. (New interface-* configuration
options).
2 September 2022: Wouter
- Remove include that was there for debug purposes.
- Fix to check pthread_t size after pthread has been detected.
1 September 2022: Wouter
- Fix to update config tests to fix checking if nonblocking sockets
work on OpenBSD.
- Slow down log frequency of write wait failures.
- Fix to set out of file descriptor warning to operational verbosity.
- Fix to log a verbose message at operational notice level if a
thread is not responding, to stats requests. It is logged with
thread identifiers.
31 August 2022: Wouter
- Fix to avoid process wide fcntl calls mixed with nonblocking
operations after a blocked write.
- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
operations, so that instruction reordering does not cause mistakenly
blocking socket operations.
- Fix to wait for blocked write on UDP sockets, with a timeout if it
takes too long the packet is dropped.
- Fix for wait for udp send to stop when packet is successfully sent.
22 August 2022: Wouter
- Fix #741: systemd socket activation fails on IPv6.
12 August 2022: Wouter
- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
per 10 seconds. Also log accept failures when no slow down is used.
5 August 2022: Wouter
- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
errors.
4 August 2022: Wouter
- Fix ratelimit inconsistency, for ip-ratelimits the value is the
amount allowed, like for ratelimits.
2 August 2022: Wouter
- Fix edns subnet so that scope 0 answers only match sourcemask 0
queries for answers from cache if from a query with sourcemask 0.
- Fix unittest for edns subnet change.
- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
to unsupported IPV6_USER_MTU socket option being set.
1 August 2022: Wouter
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
- Tests for ghost domain fixes.
- Tag for 1.16.2 release. The code repo continues with 1.16.3.
- Fix #728: alloc_reg_obtain() core dump. Stop double
alloc_reg_release when serviced_create fails.
19 July 2022: George
- Update documentation for 'outbound-msg-retry:'.
19 July 2022: Wouter
- Merge #718: Introduce infra-cache-max-rtt option to config max
retransmit timeout.
15 July 2022: Wouter
- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
And fixup the lock code.
- iana portlist update.
12 July 2022: George
- For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest
cross-compiler versions.
12 July 2022: Wouter
- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
11 July 2022: Wouter
- Fix verbose EDE error printout.
4 July 2022: George
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets.
4 July 2022: Wouter
- Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022.
The code repo continues with version 1.16.2 under development.
3 July 2022: George
- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
mode on openssl3.
- Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
- For #660: formatting, less verbose logging, add EDE information.
- Fix for correct openssl error when adding windows CA certificates to
the openssl trust store.
- Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
- Reintroduce documentation and more EDE support for
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
1 July 2022: George
- Merge PR #706: NXNS fallback.
- From #706: Cached NXDOMAIN does not increase the target nx
responses.
- From #706: Don't generate parent side queries if we already
have the lame records in cache.
- From #706: When a lame address is the best choice, don't try to
generate target queries when the missing targets are all lame.
29 June 2022: Wouter
- iana portlist update.
- Fix detection of libz on windows compile with static option.
- Fix compile warning for windows compile.
29 June 2022: George
- Add debug option to the mini_tdir.sh test code.
- Fix #704: [FR] Statistics counter for number of outgoing UDP queries
sent; introduces 'num.query.udpout' to the 'unbound-control stats'
command.
- Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
- Allow fallback to the parent side when MAX_TARGET_NX is reached.
This will also allow MAX_TARGET_NX more NXDOMAINs.
28 June 2022: George
- Show the output of the exact .rpl run that failed with 'make test'.
- Fix for cached 0 TTL records to not trigger prefetching when
serve-expired-client-timeout is set.
28 June 2022: Wouter
- Fix test program dohclient close to use portability routine.
23 June 2022: Tom
- Clarify -v flag manpage entry (#705)
22 June 2022: Philip
- Fix #663: use after free issue with edns options.
21 June 2022: Philip
- Fix for loading locally stored zones that have lines with blanks or
blanks and comments.
20 June 2022: George
- Remove unused LDNS function check for GOST Engine unloading.
14 June 2022: George
- Merge PR #688: Rpz url notify issue.
- Note in the unbound.conf text that NOTIFY is allowed from the url:
addresses for auth and rpz zones.
3 June 2022: George
- Fix for edns client subnet to respect not looking in its cache when
instructed to do so (e.g., prefetch).
3 June 2022: Wouter
- makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
27 May 2022: Wouter
- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 (and possibly other distributions)
- Version is set to 1.16.0 for release. Release tag 1.16.0rc1. This
became release 1.16.0 on 2 June 2022. The source code branch
continues with version 1.16.1 under development.
20 May 2022: Wouter
- Fix to silence test for ede error output to the console from the
test setup script.
- Fix ede test to not use default pidfile, and use local interface.
- Fix some lint type warnings.
18 May 2022: George
- Fix typos in config_set_option for the 'num-threads' and
'ede-serve-expired' options.
15 May 2022: George
- Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
by updating unbound-control's documentation.
12 May 2022: George
- Fix #417: prefetch and ECS causing cache corruption when used
together.
12 May 2022: Wouter
- Merge #677: Allow using system certificates not only on Windows,
from pemensik.
- For #677: Added tls-system-cert to config parser and documentation.
11 May 2022: Wouter
- Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
host.
10 May 2022: George
- Fix Python build in non-source directory; based on patch by
Michael Tokarev.
6 May 2022: Tom
- Merge PR #604: Add basic support for EDE (RFC8914).
28 April 2022: Wouter
- Fix #670: SERVFAIL problems with unbound 1.15.0 running on
OpenBSD 7.1.
8 April 2022: Wouter
- Fix zonemd check to allow unsupported algorithms to load.
If there are only unsupported algorithms, or unsupported schemes,
and no failed or successful other ZONEMD records, or malformed
or bad ZONEMD records, the unsupported records allow the zone load.
- Fix zonemd unsupported algo check.
- Fix zonemd unsupported algo check reason to not copy to next record,
and check for success for debug printout.
- Fix zonemd unsupported algo check to print unsupported reason before
zeroing it.
- Fix zonemd unsupported algo check to set reason to NULL before the
check routine, but after malformed checks, to get the correct NULL
output when the digest matches.
25 March 2022: Wouter
- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
23 March 2022: Wouter
- Fix #651: [FR] Better logging for refused queries.
18 March 2022: George
- Merge PR #648 from eaglegai: fix -q doesn't work when use with
'unbound-control stats_shm'.
17 March 2022: Wouter
- Fix to describe auth-zone and other configuration at the local-zone
configuration option, to allow for more broadly view of the options.
16 March 2022: Wouter
- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
9 March 2022: Wouter
- Merge #644: Make `install-lib` make target install the pkg-config
file.
7 March 2022: Wouter
- Fix configure for python to use sysutils, because distutils is
deprecated. It uses sysutils when available, distutils otherwise.
3 March 2022: Wouter
- Fix #637: Integer Overflow in sldns_str2period function.
- Fix for #637: fix integer overflow checks in sldns_str2period.
2 March 2022: George
- Merge PR #632 from scottrw93: Match cnames in ipset.
- Various fixes for #632: variable initialisation, convert the qinfo
to str once, accept trailing dot in the local-zone ipset option.
2 March 2022: Wouter
- Fix compile warnings for printf ll format on mingw compile.
1 March 2022: Wouter
- Fix pythonmod for change in iter_dp_is_useless function prototype.
28 February 2022: George
- Fix #630: Unify the RPZ log messages.
- Merge #623 from rex4539: Fix typos.
28 February 2022: Wouter
- Fix #633: Document unix domain socket support for unbound-control.
- Fix for #633: updated fix with new text.
- Fix edns client subnet to add the option based on the option list,
so that it is not state dependent, after the state fix of #605 for
double EDNS options.
- Fix for edns client subnet option add fix in removal code, from review.
25 February 2022: Wouter
- Fix to detect that no IPv6 support means that IPv6 addresses are
useless for delegation point lookups.
- update Makefile dependencies.
- Fix check interface existence for support detection in remote lookup.
18 February 2022: Wouter
- Fix that address not available is squelched from the logs for
udp connect failures. It is visible on verbosity 4 and more.
- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
ERR_GET_REASON.
16 February 2022: Wouter
- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
15 February 2022: Wouter
- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
11 February 2022: Wouter
- Fix #624: Unable to stop Unbound in Windows console (does not
respond to CTRL+C command).
- Fix #618: enabling interface-automatic disables DNS-over-TLS.
Adds the option to list interface-automatic-ports.
- Remove debug info from #618 fix.
7 February 2022: Wouter
- Fix that TCP interface does not use TLS when TLS is also configured.
4 February 2022: Wouter
- Fix #412: cache invalidation issue with CNAME+A.
3 February 2022: Wouter
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
- Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022.
The repository continues with version 1.15.1.
2 February 2022: George
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #616: Update ratelimit logic. It also introduces
ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
- Merge PR #617: Update stub/forward-host notation to accept port and
tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
notation.
2 February 2022: Wouter
- Update version number in repo to 1.15.0 for upcoming release,
since it changes the aggressive-nsec default and the ratelimit change.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
software version.
1 February 2022: George
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
internals.
31 January 2022: George
- Fix review comment for use-after-free when failing to send UDP out.
31 January 2022: Wouter
- iana portlist update.
29 January 2022: George
- Fix tls-* and ssl-* documented alternate syntax to also be available
through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
26 January 2022: George
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
document.
26 January 2022: Wouter
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
25 January 2022: George
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
serviced_udp_callback.
- Merge PR #612: TCP race condition.
25 January 2022: Wouter
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
19 January 2022: George
- For dnstap, do not wakeupnow right there. Instead zero the timer to
force the wakeup callback asap.
14 January 2022: George
- Merge PR #605:
- Fix EDNS to upstream where the same option could be attached
more than once.
- Add a region to serviced_query for allocations.
14 January 2022: Wouter
- Add rpz: for-downstream: yesno option, where the RPZ zone is
authoritatively answered for, so the RPZ zone contents can be
checked with DNS queries directed at the RPZ zone.
- For #602: Allow the module-config "subnetcache validator cachedb
iterator".
11 January 2022: George
- Fix prematurely terminated TCP queries when a reply has the same ID.
7 January 2022: Wouter
- Merge #600 from pemensik: Change file mode before changing file
owner.
5 January 2022: Wouter
- Fix for #596: fix that rpz return message is returned and not just
the rcode from the iterator return path. This fixes signal unset RA
after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
triggered operation.
4 January 2022: Wouter
- Fix #596: unset the RA bit when a query is blocked by an unbound
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
from the query.
22 December 2021: George
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
20 December 2021: George
- Fix #591: Unbound-anchor manpage links to non-existent license file.
13 December 2021: George
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
13 December 2021: Wouter
- Fix to pick up other class local zone information before unlock.
10 December 2021: George
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
10 December 2021: Wouter
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
6 December 2021: Wouter
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
3 December 2021: Wouter
- Fix compile warning for if_nametoindex on windows 64bit.
1 December 2021: Wouter
- configure is set to 1.14.0, and release branch.
This was released as version 1.14.0 on 9 Dec 2021, with the doxygen
fix below included. The main branch continues as 1.14.1.
- Fix doc/unbound.doxygen to remove obsolete tag warning.
1 December 2021: George
- Merge PR #511 from yan12125: Reduce unnecessary linking.
- Merge PR #493 from Jaap: Fix generation of libunbound.pc.
- Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
link-local addresses.
- Merge PR #562 from Willem: Reset keepalive per new tcp session.
- Merge PR #522 from sibeream: memory management violations fixed.
- Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
- Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
- Fix #574: Review fixes for size allocation.
30 November 2021: Wouter
- Fix to remove git tracking and ci information from release tarballs.
- iana portlist update.
29 November 2021: Wouter
- Merge PR #570 from rex4539: Fix typos.
- Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
- Fix to make python module opt_list use opt_list_in.
- Fix #574: unbound-checkconf reports fatal error if interface names
are used as value for interfaces:
- Fix #574: Review fixes for it.
- Fix #576: [FR] UB_* error codes in unbound.h
- Fix #574: Review fix for spelling.
15 November 2021: Tom
- Improve EDNS option handling, now also works for synthesised
responses such as local-data and server.id CH TXT responses.
5 November 2021: George
- Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
reclaimed more than once during callbacks.
- Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
5 November 2021: Wouter
- Fix that forward-zone name is documented as the full name of the
zone. It is not relative but a fully qualified domain name.
- Fix analyzer review failure in rpz action override code to not
crash on unlocking the local zone lock.
- Fix to remove unused code from rpz resolve client and action
function.
- Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
2 November 2021: Wouter
- Fix #552: Unbound assumes index.html exists on RPZ host.
11 October 2021: Wouter
- Fix chaos replies to have truncation for short message lengths,
or long reply strings.
- Fix to protect custom regional create against small values.
4 October 2021: Wouter
- Fix to add example.conf note for outbound-msg-retry.
27 September 2021: Wouter
- Implement RFC8375: Special-Use Domain 'home.arpa.'.
21 September 2021: Wouter
- For crosscompile on windows, detect 64bit stackprotector library.
- Fix crosscompile shell syntax.
- Fix crosscompile windows to use libssp when it exists.
- For the windows compile script disable gost.
- Fix that on windows, use BIO_set_callback_ex instead of deprecated
BIO_set_callback.
- Fix crosscompile script for the shared build flags.
20 September 2021: Wouter
- Fix crosscompile on windows to work with openssl 3.0.0 the
link with ws2_32 needs -l:libssp.a for __strcpy_chk.
Also copy results from lib64 directory if needed.
10 September 2021: Wouter
- Fix initialisation errors reported by gcc sanitizer.
- Fix lock debug code for gcc sanitizer reports.
- Fix more initialisation errors reported by gcc sanitizer.
8 September 2021: Wouter
- Merged #41 from Moritz Schneider: made outbound-msg-retry
configurable.
- Small fixes for #41: changelog, conflicts resolved,
processQueryResponse takes an iterator env argument like other
functions in the iterator, no colon in string for set_option,
and some whitespace style, to make it similar to the rest.
- Fix for #41: change outbound retry to int to fix signed comparison
warnings.
- Fix root_anchor test to check with new icannbundle date.
3 September 2021: Wouter
- Fix #538: Fix subnetcache statistics.
1 September 2021: Wouter
- Fix tcp fastopen failure when disabled, try normal connect instead.
27 August 2021: Wouter
- Fix #533: Negative responses get cached even when setting
cache-max-negative-ttl: 1
25 August 2021: Wouter
- Merge #401: RPZ triggers. This add additional RPZ triggers,
unbound supports a full set of rpz triggers, and this now
includes nsdname, nsip and clientip triggers. Also actions
are fully supported, and this now includes the tcp-only action.
- Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
to insert into RPZ.
- Fix the stream wait stream_wait_count_lock and http2 buffer locks
setup and desetup from race condition.
- Fix RPZ locks. Do not unlock zones lock if requested and rpz find
zone does not find the zone. Readlock the clientip that is found
for ipbased triggers. Unlock the nsdname zone lock when done.
Unlock zone and ip in rpz nsip and nsdname callback. Unlock
authzone and localzone if clientip found in rpz worker call.
- Fix compile warning in libunbound for listen desetup routine.
- Fix asynclook unit test for setup of lockchecks before log.
20 August 2021: Wouter
- Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
undefined.
- Fix #531: Fix: passed to proc after free.
17 August 2021: Wouter
- Fix that --with-ssl can use "/usr/include/openssl11" to pass the
location of a different openssl version.
- Fix #527: not sending quad9 cert to syslog (and may be more).
- Fix sed script in ssldir split handling.
16 August 2021: George
- Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
static.
16 August 2021: Wouter
- Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
13 August 2021: Wouter
- Support using system-wide crypto policies.
- Fix for #431: Squelch permission denied errors for udp connect,
and udp send, they are visible at higher verbosity settings.
- Fix zonemd verification of key that is not in DNS but in the zone
and needs a chain of trust.
- zonemd, fix order of bogus printout string manipulation.
12 August 2021: George
- Merge PR #514, from ziollek: Docker environment for run tests.
- For #514: generate configure.
12 August 2021: Wouter
- And 1.13.2rc1 became the 1.13.2 with the fix for the python module
build. The current code repository continues with version 1.13.3.
- Add test tool readzone to .gitignore.
- Merge #521: Update mini_event.c.
- Merge #523: fix: free() call more than once with the same pointer.
- Merge #519: Support for selective enabling tcp-upstream for
stub/forward zones.
- For #519: note stub-tcp-upstream and forward-tcp-upstream in
the example configuration file.
- For #519: yacc and lex. And fix python bindings, and test program
unbound-dnstap-socket.
- For #519: fix comments for doxygen.
- Fix to print error from unbound-anchor for writing to the key
file, also when not verbose.
5 August 2021: Wouter
- Tag for 1.13.2rc1 release.
- Fix #520: Unbound 1.13.2rc1 fails to build python module.
4 August 2021: George
- Merge PR #415 from sibeream: Use
/proc/sys/net/ipv4/ip_local_port_range to determine available outgoing
ports. (New --enable-linux-ip-local-port-range configuration option)
- Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
allows longer CNAME chains in Unbound.
4 August 2021: Wouter
- In unit test use openssl set security level to allow keys in test.
- Fix static analysis warnings about localzone locks that are unused.
- Fix missing locks in zonemd unit test.
- Fix readzone compile under debug config.
- Fix out of sourcedir run of zonemd unit tests.
- Fix libnettle zonemd unit test.
- Fix unit test zonemd_reload for use in run_vm.
3 August 2021: George
- Listen to read or write events after the SSL handshake.
Sticky events on windows would stick on read when write was needed.
3 August 2021: Wouter
- Merge PR #517 from dyunwei: #420 breaks the mesh reply list
function that need to reuse the dns answer.
- Annotate assertion into error printout; we think it may be an
error, but the situation looks harmless.
- Fix sign comparison warning on FreeBSD.
2 August 2021: Wouter
- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
keyraw functions to produce EVP_PKEY results.
- Move RSA and DSA to use OpenSSL 3.0.0 API.
- Move ECDSA functions to use OpenSSL 3.0.0 API.
- iana portlist update.
- Fix verbose printout failure in tcp reuse unit test.
30 July 2021: Wouter
- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
build unbound.
- For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
SSL_get_peer_certificate.
- Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
26 July 2021: George
- Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
introduces a couple of fixes for the stream reuse functionality
that could result in broken internal structures.
26 July 2021: Wouter
- Merge #512: unbound.service.in: upgrade hardening to latest
standards.
- Fix readzone unknown type print for memory resize.
21 July 2021: Wouter
- Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
line after a comment.
16 July 2021: George
- Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
16 July 2021: Wouter
- Merge #510 from ndptech: Don't call a function which hasn't been
defined.
- Fix for #510: in depth, use ifdefs for windows api event calls.
- Fix spelling in doc/unbound.doxygen comment.
- Fix spelling in localzone.h comment.
- Fix unbound-control local_data and local_datas to print detailed
syntax errors.
- review fix to remove duplicate error printout.
- Insert header into testcode/readzone.c, it was missing.
- Fix from lint for ignored return value.
- Fix for older parsers for function call in serve expired get cached.
6 July 2021: Wouter
- iana portlist update.
5 July 2021: George
- Fix compiler warnings for #491.
- Fix clang-analysis warnings for testcode/readzone.c.
4 July 2021: George
- Fix Wunused-result compile warnings.
2 July 2021: Tom
- Merge PR #491: Add SVCB and HTTPS types and handling according to
draft-ietf-dnsop-svcb-https.
2 July 2021: Wouter
- Fix #506: Python Module Seems to Leak Memory if it Experiences an
Unhandled Exception.
25 June 2021: Wouter
- Fix up permissions on rpl data file in tests.
- Fix testbound newline treatment in moment_read and tempfile write.
- Fix configure grep for reuseport default for failure.
- Fix compat ctime_r return value
- Fix configure does not require pkg-config if not needed.
- Fix unit test in the ctime_r calls for autotrust and in testbound.
- Fix auth zone download on windows to unlink before rename.
24 June 2021: Wouter
- Add analyzer and port compile github workflow.
23 June 2021: Wouter
- Fix #503: DNS over HTTPS response truncated.
- Fix warnings reported by the gcc analyzer.
21 June 2021: George
- Fix #495: Documentation or implementation of "verbosity" option.
18 June 2021: Wouter
- Fix a number of warnings reported by the gcc analyzer.
15 June 2021: George
- Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
14 June 2021: Wouter
- Fix configure nonblocking test and onmingw test to use host.
10 June 2021: Wouter
- Fix #500: SPEC file in version 1.13.1 references version 1.4;
unable to build RPM from source.
- Fix contrib/unbound.spec, fixed url and comment.
9 June 2021: George
- Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
- Generated lexer and parser for #486; updated example.conf.
- Fix #413 (based on patch by k-ronny): unbound: does not compile
on macOS 11.1-x86_64 host.
- Use host_os instead of target_os in configure for Darwin8 build.
8 June 2021: George
- Fix unused variable warning when compiling with --enable-dnstap.
7 June 2021: George
- Merge #448 from shoeper: Update unbound-control.8.in, fix
rpz_disable typo.
- Fix #425: Document auth-zone supports communication with DNS
primary on nondefault port.
1 June 2021: George
- Fix test for zonemd-check option.
27 May 2021: Wouter
- Merge #496 from banburybill: Use build system endianness if
available, otherwise try to work it out.
- zonemd-check: yesno option, default no, enables the processing
of ZONEMD records for that zone.
25 May 2021: Wouter
- Move the NSEC3 max iterations count in line with the 150 value
used by BIND, Knot and PowerDNS. This sets the default value
for it in the configuration to 150 for all key sizes.
- Fix #492: module-config respip missing in unbound.conf.5.in man
page. Merges #494 from he32.
- For #492: Fix font highlighting for the man page on emacs.
21 May 2021: Wouter
- Test code has -q option for quiet output.
19 May 2021: George
- Fix for #411, #439, #469: Reset the DNS message ID when moving queries
between TCP streams.
- Refactor for uniform way to produce random DNS message IDs.
17 May 2021: Wouter
- Fix #489: Compile using MSYS2 MinGW 64-bit.
12 May 2021: Wouter
- Fix that auth-zone zonefiles use last TTL if no TTL is specified.
10 May 2021: Wouter
- Merge PR #487: ifdef RLIMIT_AS in recently added check.
7 May 2021: Wouter
- Fix #485: Unbound occasionally reports broken stats.
- Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
- Remove case fallthrough from deprecate-rsa-1024 code.
4 May 2021: George
- Fix for #367: only attempt to get the interface for queries that are no
longer on the tcp_waiting_list.
- Add more logging for out-of-memory cases.
4 May 2021: Wouter
- Merge #478: Allow configuration of TCP timeout while waiting for
response.
- Fix to squelch tcp socket bind failures when the interface is gone.
- Rerun flex and bison.
3 May 2021: Wouter
- Fix #481: Fix comment in configuration file.
29 April 2021: Wouter
- Add that log-servfail prints an IP address and more information
about one of the last failures for that query.
28 April 2021: George
- Fix compiler warning for signed/unsigned comparison for
max_reuse_tcp_queries.
28 April 2021: Wouter
- Fix #474: always_null and others inside view.
26 April 2021: Wouter
- Merge #470 from edevil: Allow configuration of persistent TCP
connections.
22 April 2021: Wouter
- Merge #466 from FGasper: Support OpenSSLs that lack
SSL_get0_alpn_selected.
- Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
- Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
OpenSSL 1.0.1.
- Fix that testcode dohclient has OpenSSL initialisation calls.
13 April 2021: George
- Fix documentation comment for files previously residing in checkconf/.
- Remove unused functions worker_handle_reply and libworker_handle_reply.
13 April 2021: Wouter
- Fix that nxdomain synthesis does not happen above the stub or
forward definition.
12 April 2021: George
- Fix (increase) verbosity level for iterator error log in
processQueryTargets().
12 April 2021: Wouter
- Fix permission denied sendto log, squelch the log messages
unless high verbosity is set.
9 April 2021: Wouter
- rebuild configure to set EXTRALINK to libunbound.la for #460.
7 April 2021: Wouter
- Fix for #411: Depth protect for crash on deleted element timeout.
1 April 2021: Wouter
- Merge #460 from orbea: build: Link with the libtool archive.
- Fix to stop IPv6 PMTU discovery.
31 March 2021: George
- Clean makedist.sh.
31 March 2021: Wouter
- Fix stack-protector change to not override other CFLAGS options.
30 March 2021: George
- Disable the use of stack-protector for cross compiled 32-bit windows
builds; relates to #444.
25 March 2021: Wouter
- Fix #429: Also fix end of transfer for http download of auth zones.
24 March 2021: Wouter
- Fix deprecation test to work for iOS TVOS and WatchOS, it uses
CFLAGS and CPPFLAGS and also checks if the item is unavailable.
- Travis, fix script to fail when tasks fail.
- Travis, fix warning in ubsan compile.
- Fix configure Targetconfiditionals.h header check, to use compile.
- Fix that cachedb does not produce empty object files when disabled.
23 March 2021: Wouter
- Travis enable all tests again. Clang analyzer only a couple times,
when there is a difference. homebrew updates disabled, so it does
not hang. removed trailing slashes from configure paths. Moved iOS
tests to allow-failure.
- travis, analyzer disabled on test without debug, that does not
run anway. Turn off failing tests except one. Update iOS test
to xcode image 12.2.
22 March 2021: George
- Fix unused-function warning when compiling with --enable-dnscrypt.
- Fix for #367: fix memory leak when cannot bind to listening port.
- Reformat pythonmod/pythonmod_utils.{c,h}.
22 March 2021: Wouter
- Merge #449 from orbea: build: Add missing linker flags.
- iana portlist update.
- Comment out nonworking OSX and IOS travis tests, vm fails to start.
- Fix compile error in listen_dnsport on Android.
- Fix memory leak reported by asan in rpz SOA record query name.
19 March 2021: Wouter
- Fix for #447: squelch connection refused tcp connection failures
from the log, unless verbosity is high.
17 March 2021: Wouter
- Fix #441: Minimal NSEC range not accepted for top level domains.
11 March 2021: Wouter
- Fix parse of LOC RR type for decimetres.
5 March 2021: Wouter
- Workaround for #439: prevent loops in the reuse rbtree.
- Debug output for #411 and #439: printout internal error and details.
4 March 2021: Wouter
- iana portlist update.
- Fix spurious errors about "Could not generate request: out of
memory". The mesh detect cycle routine no longer wrongly stops
the check when the calling mesh state is unique.
26 February 2021: George
- Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
26 February 2021: Wouter
- Fix: Resolve interface names on control-interface too.
25 February 2021: Wouter
- Merge PR #367 : DNSTAP log local address. With code from PR #365
and fixes #368 : dnstap does not log the DNS message ID for
FORWARDER_QUERY.
- Fix to allow rpz with wildcard that applies to all TLDs at once.
24 February 2021: George
- Fix #384: (1) A minor request to improve the log (2) A minor bug in one
log message.
- ipsecmod: Better logging for detecting a cycle when attaching the
A/AAAA subquery.
24 February 2021: Wouter
- On startup of unbound it checks if rlimits on memory size look
sufficient for the configured cache size, and logs warning if not.
- Fix function documentation.
- Fix unit test for added ulimit checks.
- spelling fix in header.
23 February 2021: Wouter
- Fix for zonemd, that domain-insecure zones work without dnssec.
- Fix for zonemd, do not reject insecure result from trust anchor
validation step in dnssec chain of trust.
22 February 2021: Wouter
- Fix #431: Squelch permission denied errors for tcp connect
and udp connect from the logs, unless at high verbosity.
- Fix for zonemd, that nxdomain for the chain of trust is allowed
for island zones, it is treated as an insecure zone for verification.
18 February 2021: Wouter
- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
ZONEMD records are checked for zones loaded as auth-zone,
with DNSSEC if available. There is an added option
zonemd-permissive-mode that makes it log but not fail wrong zones.
With zonemd-reject-absence for an auth-zone the presence of a
zonemd can be mandated for specific zones.
- Fix doxygen and pydoc warnings.
- Fix #429: rpz: url: with https: broken (regression in 1.13.1).
- rpz skip nsec3param records, and nicer log for unsupported actions.
15 February 2021: Wouter
- Fix #422: IPv6 fallback issues when IPv6 is not properly
enabled/configured.
- Fix to make tests work with support indicators set for iterator.
- Fix build on Python 3.10.
10 February 2021: Wouter
- Merge PR #420 from dyunwei: DOH not responsing with
"http2_query_read_done failure" logged.
9 February 2021: Wouter
- Fix for Python 3.9, no longer use deprecated functions of
PyEval_CallObject (now PyObject_Call), PyEval_InitThreads (now
none), PyParser_SimpleParseFile (now Py_CompileString).
4 February 2021: Wouter
- release 1.13.1rc2 tag on branch-1.13.1 with added changes of 2 feb.
This became 1.13.1 release tag on 9 feb. The main branch is set
to version 1.13.2.
2 February 2021: Wouter
- branch-1.13.1 is created, with release-1.13.1rc1 tag.
- Fix dynlibmod link on rhel8 for -ldl inclusion.
- Fix windows dependency on libssp.dll because of default stack
protector in mingw.
- Fix indentation of root anchor for use by windows install script.
1 February 2021: George
- Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
29 January 2021: Wouter
- Fix for doxygen 1.8.20 compatibility.
28 January 2021: Wouter
- Annotate that we ignore the return value of if_indextoname.
- Fix to use correct type for label count in rpz routine.
- Fix empty clause warning in config_file nsid parse.
- Fix to use correct type for label count in ipdnametoaddr rpz routine.
- Fix empty clause warning in edns pass for padding.
- Fix fwd ancil test post script when not supported.
26 January 2021: George
- Merge PR #408 from fobser: Prevent a few more yacc clashes.
- Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
original instead of a decrementing TTL ('serve-original-ttl')
- Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
static data.
- Ignore cache blacklisting when trying to reply with expired data from
cache (#394).
26 January 2021: Wouter
- Fix compile of unbound-dnstap-socket without dnstap installed.
22 January 2021: Willem
- Padding of queries and responses with DNS over TLS as specified in
RFC7830 and RFC8467.
22 January 2021: George
- Fix TTL of SOA record for negative answers (localzone and
authzone data) to be the minimum of the SOA TTL and the SOA.MINIMUM.
19 January 2021: Willem
- Support for RFC5001: DNS Name Server Identifier (NSID) Option
with the nsid: option in unbound.conf
18 January 2021: Wouter
- Fix #404: DNS query with small edns bufsize fail.
- Fix declaration before statement and signed comparison warning in
dns64.
15 January 2021: Wouter
- Merge #402 from fobser: Implement IPv4-Embedded addresses according
to RFC6052.
14 January 2021: Wouter
- Fix for #93: dynlibmodule import library is named libunbound.dll.a.
13 January 2021: Wouter
- Merge #399 from xiangbao227: The lock of lruhash table should
unlocked after markdel entry.
- Fix for #93: dynlibmodule link fix for Windows.
12 January 2021: Wouter
- Fix #397: [Feature request] add new type always_null to local-zone
similar to always_nxdomain.
- Fix so local zone types always_nodata and always_deny can be used
from the config file.
8 January 2021: Wouter
- Merge PR #391 from fhriley: Add start_time to reply callbacks so
modules can compute the response time.
- For #391: use struct timeval* start_time for callback information.
- For #391: fix indentation.
- For #391: more double casts in python start time calculation.
- Add comment documentation.
- Fix clang analysis warning.
6 January 2021: Wouter
- Fix #379: zone loading over HTTP appears to have buffer issues.
- Merge PR #395 from mptre: add missing null check.
- Fix #387: client-subnet-always-forward seems to effectively bypass
any caching?
5 January 2021: Wouter
- Fix #385: autoconf 2.70 impacts unbound build
- Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
to unbound-control.
4 January 2021: Wouter
- For #376: Fix that comm point event is not double removed or double
added to event map.
- iana portlist updated.
16 December 2020: George
- Fix error cases when udp-connect is set and send() returns an error
(modified patch from Xin Li @delphij).
11 December 2020: Wouter
- Fix #371: unbound-control timeout when Unbound is not running.
- Fix to squelch permission denied and other errors from remote host,
they are logged at higher verbosity but not on low verbosity.
- Merge PR #335 from fobser: Sprinkle in some static to prevent
missing prototype warnings.
- Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
is a GNU extension.
- Fix missing prototypes in the code.
3 December 2020: Wouter
- make depend.
- iana portlist updated.
2 December 2020: Wouter
- Fix #360: for the additionally reported TCP Fast Open makes TCP
connections fail, in that case we print a hint that this is
happening with the error in the logs.
- Fix #356: deadlock when listening tcp.
- Fix unbound-dnstap-socket to not use log routine from interrupt
handler and not print so frequently when invoked in sequence.
- Fix on windows to ignore connection failure on UDP, unless verbose.
- Fix for #283: fix stream reuse and tcp fast open.
- Fix update, with write event check with streamreuse and fastopen.
1 December 2020: Wouter
- Fix #358: Squelch udp connect 'no route to host' errors on low
verbosity.
30 November 2020: Wouter
- Fix assertion failure on double callback when iterator loses
interest in query at head of line that then has the tcp stream
not kept for reuse.
- tag for the 1.13.0rc4 release. This also became the 1.13.0
release version on 3 dec 2020 with the streamreuse and fastopen
fix from 2 dec 2020. The code repo continues for 1.13.1 in
development.
27 November 2020: Wouter
- Fix compile warning for type cast in http2_submit_dns_response.
- Fix when use free buffer to initialize rbtree for stream reuse.
- Fix compile warnings for windows.
- Fix compile warnings in rpz initialization.
- Fix contrib/metrics.awk for FreeBSD awk compatibility.
- tag for the 1.13.0rc3 release.
26 November 2020: Wouter
- Fix to omit UDP receive errors from log, if verbosity low.
These happen because of udp-connect.
- For #352: contrib/metrics.awk for Prometheus style metrics output.
- Fix that after failed read, the readagain cannot activate.
- Clear readagain upon decommission of pending tcp structure.
25 November 2020: Wouter
- with udp-connect ignore connection refused with UDP timeouts.
- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
- Better fix for reuse tree comparison for is-tls sockets. Where
the tree key identity is preserved after cleanup of the TLS state.
- Remove debug commands from reuse tests.
- Fix memory leak for edns client tag opcode config element.
- Attempt fix for libevent state in tcp reuse cases after a packet
is written.
- Fix readagain and writeagain callback functions for comm point
cleanup.
- tag for the 1.13.0rc2 release.
24 November 2020: Wouter
- Merge PR #283 : Stream reuse. This implements upstream stream
reuse for performing several queries over the same TCP or TLS
channel.
- set version of main branch to 1.13.0 for upcoming release.
- iana portlist updated.
- Fix one port unit test for udp-connect.
- tag for the 1.13.0rc1 release.
- Fix crash when TLS connection is closed prematurely, when
reuse tree comparison is not properly identical to insertion.
- Fix padding of struct regional for 32bit systems.
23 November 2020: George
- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
edns-client-string option.
23 November 2020: Wouter
- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
address families.
- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
failed to list interfaces: getifaddrs: Address family not
supported by protocol.
- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
- Option to toggle udp-connect, default is enabled.
- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
with chown of pidfile.
- Further fix for it and retvalue 0 fix for it.
12 November 2020: Wouter
- Fix to connect() to UDP destinations, default turned on,
this lowers vulnerability to ICMP side channels.
- Retry for interfaces with unused ports if possible.
10 November 2020: Wouter
- Fix #341: fixing a possible memory leak.
- Fix memory leak after fix for possible memory leak failure.
- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
undeclared.
27 October 2020: Wouter
- In man page note that tls-cert-bundle is read before permission
drop and chroot.
22 October 2020: Wouter
- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
Python Mod.
- Fix that minimal-responses does not remove addresses from a priming
query response.
21 October 2020: George
- Fix #327: net/if.h check fails on some darwin versions; contribution by
Joshua Root.
- Fix #320: potential memory corruption due to size miscomputation upton
custom region alloc init.
21 October 2020: Wouter
- Merge PR #228 : infra-keep-probing option to probe hosts that are
down. Add infra-keep-probing: yes option. Hosts that are down are
probed more frequently.
With the option turned on, it probes about every 120 seconds,
eventually after exponential backoff, and that keeps that way. If
traffic keeps up for the domain. It probes with one at a time, eg.
one query is allowed to probe, other queries within that 120 second
interval are turned away.
19 October 2020: George
- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
unbound-control TLS certificates.
- Fix for PR #324 to attach the x509v3 extensions to the client
certificate.
19 October 2020: Ralph
- local-zone regional allocations outside of chunk
19 October 2020: Wouter
- Fix that http settings have colon in set_option, for
http-endpoint, http-max-streams, http-query-buffer-size,
http-response-buffer-size, and http-nodelay.
- Fix memory leak of https port string when reading config.
- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
This adds the option http-notls-downstream: yesno to change that,
and the dohclient test code has the -n option.
- Fix python documentation warning on functions.rst inplace_cb_reply.
- Fix dnstap test to wait for log timer to see if queries are logged.
- Log ip address when http session recv fails, eg. due to tls fail.
- Fix to set the tcp handler event toggle flag back to default when
the handler structure is reused.
- Clean the fix for out of order TCP processing limits on number
of queries. It was tested to work.
16 October 2020: Wouter
- Fix that the out of order TCP processing does not limit the
number of outstanding queries over a connection.
15 October 2020: George
- Fix that if there are reply callbacks for the given rcode, those
are called per reply and a new message created if that was modified
by the call.
- Pass the comm_reply information to the inplace_cb_reply* functions
during the mesh state and update the documentation on that.
15 October 2020: Wouter
- Merge PR #326 from netblue30: DoH: implement content-length
header field
- DoH content length, simplify code, remove declaration after
statement and fix cast warning.
14 October 2020: Wouter
- Fix for python reply callback to see mesh state reply_list member,
it only removes it briefly for the commpoint call so that it does
not drop it and attempt to modify the reply list during reply.
- Fix that if there are on reply callbacks, those are called per
reply and a new message created if that was modified by the call.
- Free up auth zone parse region after use for lookup of host
13 October 2020: Wouter
- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
if systemd support is build.
9 October 2020: Wouter
- Fix dnstap socket and the chroot not applied properly to the dnstap
socket path.
- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
8 October 2020: Wouter
- Tag for 1.12.0 release.
- Current repo is version 1.12.1 in development.
- Fix #319: potential memory leak on config failure, in rpz config.
1 October 2020: Wouter
- Current repo is version 1.12.0 for release. Tag for 1.12.0rc1.
30 September 2020: Wouter
- Fix doh tests when not compiled in.
- Add dohclient test executable to gitignore.
- Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
alloc check debug output.
- Easier kill of unbound-dnstap-socket tool in test.
- Fix memory leak of edns tags at libunbound context delete.
- Fix double loopexit for unbound-dnstap-socket after sigterm.
29 September 2020: Ralph
- DNS Flag Day 2020: change edns-buffer-size default to 1232.
28 September 2020: Wouter
- Fix unit test for dnstap changes, so that it waits for the timer.
23 September 2020: Wouter
- Fix #305: dnstap logging significantly affects unbound performance
(regression in 1.11).
- Fix #305: only wake up thread when threshold reached.
- Fix to ifdef fptr wlist item for dnstap.
23 September 2020: Ralph
- Fix edns-client-tags get_option typo
- Add edns-client-tag-opcode option
- Use inclusive language in configuration
21 September 2020: Ralph
- Fix #304: dnstap logging not recovering after dnstap process restarts
21 September 2020: Wouter
- Merge PR #311 by luismerino: Dynlibmod leak.
- Error message is logged for dynlibmod malloc failures.
- iana portlist updated.
18 September 2020: Wouter
- Fix that prefer-ip4 and prefer-ip6 can be get and set with
unbound-control, with libunbound and the unbound-checkconf option
output function.
- iana portlist updated.
15 September 2020: George
- Introduce test for statistics.
15 September 2020: Wouter
- Spelling fix.
11 September 2020: Wouter
- Remove x file mode on ipset/ipset.c and h files.
9 September 2020: Wouter
- Fix num.expired statistics output.
31 August 2020: Wouter
- Merge PR #293: Add missing prototype. Also refactor to use the new
shorthand function to clean up the code.
- Refactor to use sock_strerr shorthand function.
- Fix #296: systemd nss-lookup.target is reached before unbound can
successfully answer queries. Changed contrib/unbound.service.in.
27 August 2020: Wouter
- Similar to NSD PR#113, implement that interface names can be used,
eg. something like interface: eth0 is resolved at server start and
uses the IP addresses for that named interface.
- Review fix, doxygen and assign null in case of error free.
26 August 2020: George
- Update documentation in python example code.
24 August 2020: Wouter
- Fix that dnstap reconnects do not spam the log with the repeated
attempts. Attempts on the timer are only logged on high verbosity,
if they produce a connection failure error.
- Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
- Change configure to use EVP_sha256 instead of HMAC_Update for
openssl-3.0.0.
20 August 2020: Ralph
- Fix stats double count issue (#289).
13 August 2020: Ralph
- Create and init edns tags data for libunbound.
10 August 2020: Ralph
- Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
by Vítězslav Čížek.
10 August 2020: Wouter
- Fix #287: doc typo: "Additionaly".
- Rerun autoconf
6 August 2020: Wouter
- Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
The DLV has been decommisioned and in unbound 1.5.4, in 2015, there
was advise to stop using it. The current code base does not contain
DLV code any more. The use of dlv options displays a warning.
5 August 2020: Wouter
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
5 August 2020: Ralph
- Merge PR #272: Add EDNS client tag functionality.
4 August 2020: George
- Improve error log message when inserting rpz RR.
- Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
definedness, by Felipe Gasper.
4 August 2020: Wouter
- Fix mini_event.h on OpenBSD cannot find fd_set.
31 July 2020: Wouter
- Fix doxygen comment for no ssl for tls session ticket key callback
routine.
27 July 2020: George
- Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
March 2020, by and0x000.
27 July 2020: Ralph
- Merge PR #269, Fix python module len() implementations, by Torbjörn
Lönnemark
27 July 2020: Wouter
- branch now named 1.11.1. 1.11.0rc1 became the 1.11.0 release.
- Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
20 July 2020: Wouter
- Fix streamtcp to print packet data to stdout. This makes the
stdout and stderr not mix together lines, when parsing its output.
- Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
due to added libdynmod, but it does not compile, it conflicts with
new rpz code.
- branch now named 1.11.0 and 1.11.0rc1 tag.
17 July 2020: Wouter
- Fix libnettle compile for session ticket key callback function
changes.
- Fix lock dependency cycle in rpz zone config setup.
17 July 2020: Ralph
- Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
Courrèges-Anglas.
- Fix PR #234 log_assert sizeof to use union buffer.
16 July 2020: Wouter
- Fix check conf test for referencing installation paths.
- Fix unused variable warning for clang analyzer.
16 July 2020: George
- Introduce 'include-toplevel:' configuration option.
16 July 2020: Ralph
- Add bidirectional frame streams support.
8 July 2020: Wouter
- Fix add missing DSA header, for compilation without deprecated
OpenSSL APIs.
- Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
3.0.0-alpha4.
- Longer keys for the test set, this avoids weak crypto errors.
7 July 2020: Wouter
- Fix #259: Fix unbound-checkconf does not check view existence.
unbound-checkconf checks access-control-view, access-control-tags,
access-control-tag-actions and access-control-tag-datas.
- Fix offset of error printout for access-control-tag-datas.
- Review fixes for checkconf #259 change.
6 July 2020: Wouter
- run_vm cleanup better and removes trailing slash on single argument.
29 June 2020: Wouter
- Move reply list clean for serve expired mesh callback to after
the reply is sent, so that script callbacks have reply_info.
- Also move reply list clean for mesh callbacks to the scrip callback
can see the reply_info.
- Fix for mesh accounting if the reply list already empty to begin
with.
- Fix for mesh accounting when rpz decides to drop a reply with a
tcp stream waiting for it.
- Review fix for number of detached states due to use of variable
after end of loop.
- Fix tcp req info drop due to size call into mesh accounting
removal of mesh state during mesh send reply.
24 June 2020: Wouter
- iana portlist updated.
- doxygen file comments for dynlibmodule.
17 June 2020: Wouter
- Fix default explanation in man page for qname-minimisation-strict.
- Fix display of event loop method with libev.
8 June 2020: Wouter
- Mention tls name possible when tls is enabled for stub-addr in the
man page.
27 May 2020: George
- Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
"Requires:".
25 May 2020: George
- Update contrib/aaaa-filter-iterator.patch for the recent
generate_sub_request() change and to apply cleanly.
21 May 2020: George
- Fix for integer overflow when printing RDF_TYPE_TIME.
19 May 2020: Wouter
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
used to make Unbound unresponsive.
- Release 1.10.1 is 1.10.0 with fixes, code repository continues,
including those fixes, towards the next release. Configure has
version 1.10.2 version number in it.
- For PR #93: windows compile warnings removal
- windows compile warnings removal for ip dscp option code.
- For PR #93: unit test for dynlib module.
18 May 2020: Wouter
- For PR #93: dynlibmod can handle reloads and deinit and inits again,
with dlclose and dlopen of the library again. Also for multiple
modules. Fix memory leak by not closing dlopened content. Fix
to allow one dynlibmod instance by unbound-checkconf.
- For PR #93: checkconf allows multiple dynlib in module-config, for
a couple cases.
- For PR #93: checkconf allows python dynlib in module-config, for
a couple cases.
- For PR #93: man page spelling reference fix.
- For PR #93: fix link of other executables for dynlibmod dependency.
15 May 2020: Wouter
- Merge PR #93: Add dynamic library support.
- Fixed conflicts for PR #93 and make configure, yacc, lex.
- For PR #93: Fix warnings for dynlibmodule.
15 May 2020: Ralph
- Cache ECS answers with longest scope of CNAME chain.
22 April 2020: George
- Explicitly use 'rrset-roundrobin: no' for test cases.
21 April 2020: Wouter
- Merge #225 from akhait: KSK-2010 has been revoked. It removes the
KSK-2010 from the default list in unbound-anchor, now that the
revocation period is over. KSK-2017 is the only trust anchor in
the shipped default now.
21 April 2020: George
- Change default value for 'rrset-roundrobin' to yes.
- Fix tests for new rrset-roundrobin default.
20 April 2020: Wouter
- Fix #222: --enable-rpath, fails to rpath python lib.
- Fix for count of reply states in the mesh.
- Remove unneeded was_mesh_reply check.
17 April 2020: George
- Add SNI support on more TLS connections (fixes #193).
- Add SNI support to unbound-anchor.
16 April 2020: George
- Add doxygen documentation for DSCP.
16 April 2020: Wouter
- Fix help return code in unbound-control-setup script.
- Fix for posix shell syntax for trap in nsd-control-setup.
- Fix for posix shell syntax for trap in run_msg.sh test script.
15 April 2020: George
- Fix #220: auth-zone section in config may lead to segfault.
7 April 2020: Wouter
- Merge PR #214 from gearnode: unbound-control-setup recreate
certificates. With the -r option the certificates are created
again, without it, only the files that do not exist are created.
6 April 2020: Ralph
- Keep track of number of timeouts. Use this counter to determine if
capsforid fallback should be started.
6 April 2020: George
- More documentation for redis-expire-records option.
1 April 2020: George
- Merge PR #206: Redis TTL, by Talkabout.
30 March 2020: Wouter
- Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
- Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
transports.
27 March 2020: Wouter
- Merge PR #203 from noloader: Update README-Travis.md with current
procedures.
27 March 2020: Ralph
- Make unbound-control error returned on missing domain name more user
friendly.
26 March 2020: Ralph
- Fix RPZ concurrency issue when using auth_zone_reload.
25 March 2020: George
- Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
- Fix on #201.
24 March 2020: Wouter
- Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
tag for outgoing packets.
- Fixes on #200.
- Travis fix for ios by omitting tools from install.
23 March 2020: Wouter
- Fix compile on Solaris for unbound-checkconf.
20 March 2020: George
- Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
only used in this file.
20 March 2020: Wouter
- Merge PR #197 from fobser: Make log_ident_revert_to_default() a
proper prototype.
19 March 2020: Ralph
- Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
- Fix #158: open tls-session-ticket-keys as binary, for Windows. By
Daisuke HIGASHI.
- Merge PR#134, Allow the kernel to provide random source ports. By
Florian Obser.
- Log warning when using outgoing-port-permit and outgoing-port-avoid
while explicit port randomisation is disabled.
- Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
- Fix .travis.yml error, missing 'env' option.
16 March 2020: Wouter
- Fix #192: In the unbound-checkconf tool, the module config of
dns64 subnetcache respip validator iterator is whitelisted, it was
reported it seems to work.
12 March 2020: Wouter
- Fix compile of test tools without protobuf.
11 March 2020: Ralph
- Add check to make sure RPZ records are subdomains of configured
zone origin.
11 March 2020: George
- Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
type, by noloader.
- Changelog entry for (Fix #189, Merge PR #190).
11 March 2020: Wouter
- Fix #188: unbound-control.c:882:6: error: 'execlp' is
unavailable: not available on tvOS.
6 March 2020: George
- Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
noloader
5 March 2020: Wouter
- Fix PR #182 from noloader: Add iOS testing to Travis.
4 March 2020: Ralph
- Update README-Travis.md (from PR #179), by Jeffrey Walton.
4 March 2020: George
- Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
4 March 2020: Wouter
- Merge PR #180 from noloader: Avoid calling exit in Travis script.
3 March 2020: George
- Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
2 March 2020: Ralph
- Fix #175, Merge PR #176: fix link error when OpenSSL is configured
with no-engine, thanks noloader.
2 March 2020: George
- Fix compiler warning in dns64/dns64.c
- Merge PR #174: Add Android to Travis testing, by noloader.
- Move android build scripts to contrib/ and allow android tests to fail.
2 March 2020: Wouter
- Fix #177: dnstap does not build on macOS.
28 February 2020: Ralph
- Merge PR #172: Add IBM s390x arch for testing, by noloader.
28 February 2020: Wouter
- Merge PR #173: updated makedist.sh for config.guess and
config.sub and sha256 digest for gpg, by noloader.
- Merge PR #164: Framestreams, this branch implements dnstap
unidirectional connectivity in unbound. This has a number of
new features.
The dependency on libfstrm is removed. The fstrm protocol code
resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This
contains a brief definition of what unbound needs.
The make unbound-dnstap-socket builds a debug tool,
unbound-dnstap-socket. It can listen, accept multiple DNSTAP
streams and print information. Commandline options control it.
Unbound can reconnect if the unix domain socket file socket is
closed. This uses exponential backoff after which it uses a
one second timer to throttle cpu down. There is also support
to use TCP and TLS for connecting to the log server. There
are new config options to turn them on, in the dnstap section
in the man page and example config file. dnstap-ip with IP
address of server for TCP or TLS use. dnstap-tls to turn
on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
dnstap-tls-client-key-file and dnstap-tls-client-cert-file
to configure the certificates for server authentication and
client authentication, or leave at "" to not use that.
27 February 2020: George
- Merge PR #171: Add additional compilers and platforms to Travis
testing, by noloader.
27 February 2020: Wouter
- Fix #169: Fix warning for daemon/remote.c output may be truncated
from snprintf.
- Fix #170: Fix gcc undefined sanitizer signed integer overflow
warning in signature expiry RFC1982 serial number arithmetic.
- Fix more undefined sanitizer issues, in respip copy_rrset null
dname, and in the client_info_compare routine for null memcmp.
26 February 2020: Wouter
- iana portlist updated.
25 February 2020: Wouter
- Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
using ipv4 filters, because the hosts ip6 netblock /64 is not owned
by one operator, and thus reputation is shared.
24 February 2020: George
- Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
20 February 2020: Wouter
- Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
Unbound from Yuri Voinov.
- master branch has 1.10.1 version.
18 February 2020: Wouter
- protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
different openssl versions.
17 February 2020: Wouter
- changelog point where the tag for 1.10.0rc2 release is. And with
the unbound_smf23 commit added to it, that is the 1.10.0 release.
17 February 2020: Ralph
- Add respip to supported module-config options in unbound-checkconf.
17 February 2020: George
- Remove unused variable.
17 February 2020: Wouter
- contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
in RPZ-Format, contributed by Andreas Schulze.
14 February 2020: Wouter
- Fix spelling in unbound.conf.5.in.
- Stop unbound-checkconf from insisting that auth-zone and rpz
zonefiles have to exist. They can not exist, and download later.
13 February 2020: Wouter
- tag for 1.10.0rc1 release.
12 February 2020: Wouter
- Fix with libnettle make test with dsa disabled.
- Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
fixes, but it does not compile, conflicts with new rpz code.
- Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
- Fix compile warning when threads disabled.
- updated version number to 1.10.0.
10 February 2020: George
- Document 'ub_result.was_ratelimited' in libunbound.
- Fix use after free on log-identity after a reload; Fixes #163.
6 February 2020: George
- Fix num_reply_states and num_detached_states counting with
serve_expired_callback.
- Cleaner code in mesh_serve_expired_lookup.
- Document in unbound.conf manpage that configuration clauses can be
repeated in the configuration file.
6 February 2020: Wouter
- Fix num_reply_addr counting in mesh and tcp drop due to size
after serve_stale commit.
- Fix to create and destroy rpz_lock in auth_zones structure.
- Fix to lock zone before adding rpz qname trigger.
- Fix to lock and release once in mesh_serve_expired_lookup.
- Fix to put braces around empty if body when threading is disabled.
5 February 2020: George
- Added serve-stale functionality as described in
draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
to configure the behavior.
- Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
- Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
come with a configurable TTL value (`serve-expired-reply-ttl`).
- Fixed stats when replying with cached, cname-aliased records.
- Added missing default values for redis cachedb backend.
3 February 2020: Ralph
- Add assertion to please static analyzer
31 January 2020: Wouter
- Fix fclose on error in TLS session ticket code.
30 January 2020: Ralph
- Fix memory leak in error condition remote.c
- Fix double free in error condition view.c
- Fix memory leak in do_auth_zone_transfer on success
- Merge RPZ support into master. Only QNAME and Response IP triggers are
supported.
- Stop working on socket when socket() call returns an error.
- Check malloc return values in TLS session ticket code
30 January 2020: Wouter
- Fix subnet tests for disabled DSA algorithm by default.
- Update contrib/fastrpz.patch for clean diff with current code.
- Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
and Frzk. Updates the unbound.service systemd file and adds
a portable systemd service file.
- updated .gitignore for added contrib file.
- Add build rule for ipset to Makefile
- Add getentropy_freebsd.o to Makefile dependencies.
29 January 2020: Ralph
- Merge PR#156 from Alexander Berkes; Added unbound-control
view_local_datas_remove command.
29 January 2020: Wouter
- Fix #157: undefined reference to `htobe64'.
28 January 2020: Ralph
- Merge PR#147; change rfc reference for reserved top level dns names.
28 January 2020: Wouter
- iana portlist updated.
- Fix to silence the tls handshake errors for broken pipe and reset
by peer, unless verbosity is set to 2 or higher.
27 January 2020: Ralph
- Merge PR#154; Allow use of libbsd functions with configure option
--with-libbsd. By Robert Edmonds and Steven Chamberlain.
- Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
27 January 2020: Wouter
- Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
to Libs/Requires for crypto library dependencies.
- Fix #153: Disable validation for DSA algorithms. RFC 8624
compliance.
23 January 2020: Wouter
- Merge PR#150 from Frzk: Systemd unit without chroot. It add
contrib/unbound_nochroot.service.in, a systemd file for use with
chroot: "", see comments in the file, it uses systemd protections
instead.
14 January 2020: Wouter
- Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
because dnscrypt-proxy (2.0.36) does not support the test setup
any more, and also the config file format does not seem to have
the appropriate keys to recreate that setup.
- Fix crash after reload where a stats lookup could reference old key
cache and neg cache structures.
- Fix for memory leak when edns subnet config options are read when
compiled without edns subnet support.
- Fix auth zone support for NSEC3 records without salt.
10 January 2020: Wouter
- Fix the relationship between serve-expired and prefetch options,
patch from Saksham Manchanda from Secure64.
- Fix unreachable code in ssl set options code.
8 January 2020: Ralph
- Fix #138: stop binding pidfile inside chroot dir in systemd service
file.
8 January 2020: Wouter
- Fix 'make test' to work for --disable-sha1 configure option.
- Fix out-of-bounds null-byte write in sldns_bget_token_par while
parsing type WKS, reported by Luis Merino from X41 D-Sec.
- Updated sldns_bget_token_par fix for also space for the zero
delimiter after the character. And update for more spare space.
6 January 2020: George
- Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
The dl_iterate_phdr() function introduced in newer versions raises
compilation errors on solaris 10.
- Changes to compat/getentropy_solaris.c for,
ifdef stdint.h inclusion for older systems.
ifdef sha2.h inclusion for older systems.
6 January 2020: Wouter
- Merge #135 from Florian Obser: Use passed in neg and key cache
if non-NULL.
- Fix #140: Document slave not downloading new zonefile upon update.
16 December 2019: George
- Update mailing list URL.
12 December 2019: Ralph
- Master is 1.9.7 in development.
- Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
Florian Obser
10 December 2019: Wouter
- Fix to make auth zone IXFR to fallback to AXFR if a single
response RR is received over TCP with the SOA in it.
6 December 2019: Wouter
- Fix ipsecmod compile.
- Fix Makefile.in for ipset module compile, from Adi Prasaja.
- release-1.9.6 tag, which became the 1.9.6 release
5 December 2019: Wouter
- unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
replacements for unbound-fuzzme.c that gets created after applying
the contrib/unbound-fuzzme.patch. They are contributed by
Eric Sesterhenn from X41 D-Sec.
- tag for 1.9.6rc1.
4 December 2019: Wouter
- Fix lock type for memory purify log lock deletion.
- Fix testbound for alloccheck runs, memory purify and lock checks.
- update contrib/fastrpz.patch to apply more cleanly.
- Fix Make Test Fails when Configured With --enable-alloc-nonregional,
reported by X41 D-Sec.
3 December 2019: Wouter
- Merge pull request #124 from rmetrich: Changed log lock
from 'quick' to 'basic' because this is an I/O lock.
- Fix text around serial arithmatic used for RRSIG times to refer
to correct RFC number.
- Fix Assert Causing DoS in synth_cname(),
reported by X41 D-Sec.
- Fix similar code in auth_zone synth cname to add the extra checks.
- Fix Assert Causing DoS in dname_pkt_copy(),
reported by X41 D-Sec.
- Fix OOB Read in sldns_wire2str_dname_scan(),
reported by X41 D-Sec.
- Fix Out of Bounds Write in sldns_str2wire_str_buf(),
reported by X41 D-Sec.
- Fix Out of Bounds Write in sldns_b64_pton(),
fixed by check in sldns_str2wire_int16_data_buf(),
reported by X41 D-Sec.
- Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
reported by X41 D-Sec.
- Fix Out of Bound Write Compressed Names in rdata_copy(),
reported by X41 D-Sec.
- Fix Hang in sldns_wire2str_pkt_scan(),
reported by X41 D-Sec.
This further lowers the max to 256.
- Fix snprintf() supports the n-specifier,
reported by X41 D-Sec.
- Fix Bad Indentation, in dnscrypt.c,
reported by X41 D-Sec.
- Fix Client NONCE Generation used for Server NONCE,
reported by X41 D-Sec.
- Fix compile error in dnscrypt.
- Fix _vfixed not Used, removed from sbuffer code,
reported by X41 D-Sec.
- Fix Hardcoded Constant, reported by X41 D-Sec.
- make depend
2 December 2019: Wouter
- Merge pull request #122 from he32: In tcp_callback_writer(),
don't disable time-out when changing to read.
22 November 2019: George
- Fix compiler warnings.
22 November 2019: Wouter
- Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
- Add make distclean that removes everything configure produced,
and make maintainer-clean that removes bison and flex output.
20 November 2019: Wouter
- Fix Out of Bounds Read in rrinternal_get_owner(),
reported by X41 D-Sec.
- Fix Race Condition in autr_tp_create(),
reported by X41 D-Sec.
- Fix Shared Memory World Writeable,
reported by X41 D-Sec.
- Adjust unbound-control to make stats_shm a read only operation.
- Fix Weak Entropy Used For Nettle,
reported by X41 D-Sec.
- Fix Randomness Error not Handled Properly,
reported by X41 D-Sec.
- Fix Out-of-Bounds Read in dname_valid(),
reported by X41 D-Sec.
- Fix Config Injection in create_unbound_ad_servers.sh,
reported by X41 D-Sec.
- Fix Local Memory Leak in cachedb_init(),
reported by X41 D-Sec.
- Fix Integer Underflow in Regional Allocator,
reported by X41 D-Sec.
- Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
- Synchronize compat/getentropy_win.c with version 1.5 from
OpenBSD, no changes but makes the file, comments, identical.
- Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
- Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
- Changes to compat/getentropy files for,
no link to openssl if using nettle, and hence config.h for
HAVE_NETTLE variable.
compat definition of MAP_ANON, for older systems.
ifdef stdint.h inclusion for older systems.
ifdef sha2.h inclusion for older systems.
- Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
- Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
- Fix Terminating Quotes not Written, reported by X41 D-Sec.
- Fix Useless memset() in validator, reported by X41 D-Sec.
- Fix Unrequired Checks, reported by X41 D-Sec.
- Fix Enum Name not Used, reported by X41 D-Sec.
- Fix NULL Pointer Dereference via Control Port,
reported by X41 D-Sec.
- Fix Bad Randomness in Seed, reported by X41 D-Sec.
- Fix python examples/calc.py for eval, reported by X41 D-Sec.
- Fix comments for doxygen in dns64.
19 November 2019: Wouter
- Fix CVE-2019-18934, shell execution in ipsecmod.
- 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
- Fix authzone printout buffer length check.
- Fixes to please lint checks.
- Fix Integer Overflow in Regional Allocator,
reported by X41 D-Sec.
- Fix Unchecked NULL Pointer in dns64_inform_super()
and ipsecmod_new(), reported by X41 D-Sec.
- Fix Out-of-bounds Read in rr_comment_dnskey(),
reported by X41 D-Sec.
- Fix Integer Overflows in Size Calculations,
reported by X41 D-Sec.
- Fix Integer Overflow to Buffer Overflow in
sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
- Fix Out of Bounds Read in sldns_str2wire_dname(),
reported by X41 D-Sec.
- Fix Out of Bounds Write in sldns_bget_token_par(),
reported by X41 D-Sec.
18 November 2019: Wouter
- In unbound-host use separate variable for get_option to please
code checkers.
- update to bison output of 3.4.1 in code repository.
- Provide a prototype for compat malloc to remove compile warning.
- Portable grep usage for reuseport configure test.
- Check return type of HMAC_Init_ex for openssl 0.9.8.
- gitignore .source tempfile used for compatible make.
13 November 2019: Wouter
- iana portlist updated.
- contrib/fastrpz.patch updated to apply for current code.
- fixes for splint cleanliness, long vs int in SSL set_mode.
11 November 2019: Wouter
- Fix #109: check number of arguments for stdin-pipes in
unbound-control and fail if too many arguments.
- Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
24 October 2019: Wouter
- Fix #99: Memory leak in ub_ctx (event_base will never be freed).
23 October 2019: George
- Add new configure option `--enable-fully-static` to enable full static
build if requested; in relation to #91.
23 October 2019: Wouter
- Merge #97: manpage: Add missing word on unbound.conf,
from Erethon.
22 October 2019: Wouter
- drop-tld.diff: adds option drop-tld: yesno that drops 2 label
queries, to stop random floods. Apply with
patch -p1 < contrib/drop-tld.diff and compile.
From Saksham Manchanda (Secure64). Please note that we think this
will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
lookups for downstream clients.
7 October 2019: Wouter
- Add doxygen comments to unbound-anchor source address code, in #86.
3 October 2019: Wouter
- Merge #90 from vcunat: fix build with nettle-3.5.
- Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
- Continue with development of 1.9.5.
- Merge #86 from psquarejho: Added -b source address option to
smallapp/unbound-anchor.c, from Lukas Wunner.
26 September 2019: Wouter
- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
Drop CAP_KILL, use + prefix for ExecReload= instead.
25 September 2019: Wouter
- The unbound.conf includes are sorted ascending, for include
statements with a '*' from glob.
23 September 2019: Wouter
- Merge #85 for #84 from sam-lunt: Add kill capability to systemd
service file to fix that systemctl reload fails.
20 September 2019: Wouter
- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
in unbound.service.
- Merge #81 from Maryse47: Consistently use /dev/urandom instead
of /dev/random in scripts and docs.
- Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
into the background.
19 September 2019: Wouter
- Fix #78: Memory leak in outside_network.c.
- Merge pull request #76 from Maryse47: Improvements and fixes for
systemd unbound.service.
- oss-fuzz badge on README.md.
- Fix fix for #78 to also free service callback struct.
- Fix for oss-fuzz build warning.
- Fix wrong response ttl for prepended short CNAME ttls, this would
create a wrong zero_ttl response count with serve-expired enabled.
- Merge #80 from stasic: Improve wording in man page.
11 September 2019: Wouter
- Use explicit bzero for wiping clear buffer of hash in cachedb,
reported by Eric Sesterhenn from X41 D-Sec.
9 September 2019: Wouter
- Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
LOG_DAEMON (as before) can set the syslog facility that the server
uses to log messages.
4 September 2019: Wouter
- Fix #71: fix openssl error squelch commit compilation error.
3 September 2019: Wouter
- squelch DNS over TLS errors 'ssl handshake failed crypto error'
on low verbosity, they show on verbosity 3 (query details), because
there is a high volume and the operator cannot do anything for the
remote failure. Specifically filters the high volume errors.
2 September 2019: Wouter
- ipset module #28: log that an address is added, when verbosity high.
- ipset: refactor long routine into three smaller ones.
- updated Makefile dependencies.
23 August 2019: Wouter
- Fix contrib/fastrpz.patch asprintf return value checks.
22 August 2019: Wouter
- Fix that pkg-config is setup before --enable-systemd needs it.
- 1.9.3rc2 release candidate tag. And this became the 1.9.3 release.
Master is 1.9.4 in development.
21 August 2019: Wouter
- Fix log_dns_msg to log irrespective of minimal responses config.
19 August 2019: Ralph
- Document limitation of pidfile removal outside of chroot directory.
16 August 2019: Wouter
- Fix unittest valgrind false positive uninitialised value report,
where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
issues an uninitialised value for the token buffer at the str2wire.c
rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
straight character comparisons removes the false positive. Also
valgrinds --expensive-definedness-checks=yes can stop this false
positive.
- Please doxygen's parser for "@" occurrence in doxygen comment.
- Fixup contrib/fastrpz.patch
- Remove warning about unknown cast-function-type warning pragma.
15 August 2019: Wouter
- iana portlist updated.
- Fix autotrust temp file uniqueness windows compile.
- avoid warning about upcast on 32bit systems for autotrust.
- escape commandline contents for -V.
- Fix character buffer size in ub_ctx_hosts.
- 1.9.3rc1 release candidate tag.
- Option -V prints if TCP fastopen is available.
14 August 2019: George
- Fix #59, when compiled with systemd support check that we can properly
communicate with systemd through the `NOTIFY_SOCKET`.
14 August 2019: Wouter
- Generate configlexer with newer flex.
- Fix warning for unused variable for compilation without systemd.
12 August 2019: George
- Introduce `-V` option to print the version number and build options.
Previously reported build options like linked libs and linked modules
are now moved from `-h` to `-V` as well for consistency.
- PACKAGE_BUGREPORT now also includes link to GitHub issues.
1 August 2019: Wouter
- For #52 #53, second context does not close logfile override.
- Fix #52 #53, fix for example fail program.
- Fix to return after failed auth zone http chunk write.
- Fix to remove unused test for task_probe existance.
- Fix to timeval_add for remaining second in microseconds.
- Check repinfo in worker_handle_request, if null, drop it.
29 July 2019: Wouter
- Add verbose log message when auth zone file is written, at level 4.
- Add hex print of trust anchor pointer to trust anchor file temp
name to make it unique, for libunbound created multiple contexts.
23 July 2019: Wouter
- Fix question section mismatch in local zone redirect.
19 July 2019: Wouter
- Fix #49: Set no renegotiation on the SSL context to stop client
session renegotiation.
12 July 2019: Wouter
- Fix #48: Unbound returns additional records on NODATA response,
if minimal-responses is enabled, also the additional for negative
responses is removed.
9 July 2019: Ralph
- Fix in respip addrtree selection. Absence of addr_tree_init_parents()
call made it impossible to go up the tree when the matching netmask is
too specific.
5 July 2019: Ralph
- Fix for possible assertion failure when answering respip CNAME from
cache.
25 June 2019: Wouter
- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
when do-not-query-localhost is turned on, or at default on,
unbound-checkconf prints a warning if it is found in forward-addr or
stub-addr statements.
24 June 2019: Wouter
- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
18 June 2019: Wouter
- PR #28: IPSet module, by Kevin Chou. Created a module to support
the ipset that could add the domain's ip to a list easily.
Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
- Fix to omit RRSIGs from addition to the ipset.
- Fix to make unbound-control with ipset, remove unused variable,
use unsigned type because of comparison, and assign null instead
of compare with it. Remade lex and yacc output.
- make depend
- Added documentation to the ipset files (for doxygen output).
- Merge PR #6: Python module: support multiple instances
- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
- Merge PR #4: Python module: assign something useful to the
per-query data store 'qdata'
- Fix python dict reference and double free in config.
17 June 2019: Wouter
- Master contains version 1.9.3 in development.
- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
- Fix for #24: Fix abort due to scan of auth zone masters using old
address from previous scan.
12 June 2019: Wouter
- Fix another spoolbuf storage code point, in prefetch.
- 1.9.2rc3 release candidate tag. Which became the 1.9.2 release
on 17 June 2019.
11 June 2019: Wouter
- Fix that fixes the Fix that spoolbuf is not used to store tcp
pipelined response between mesh send and callback end, this fixes
error cases that did not use the correct spoolbuf.
- 1.9.2rc2 release candidate tag.
6 June 2019: Wouter
- 1.9.2rc1 release candidate tag.
4 June 2019: Wouter
- iana portlist updated.
29 May 2019: Wouter
- Fix to guard _OPENBSD_SOURCE from redefinition.
28 May 2019: Wouter
- Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
- gitignore config.h.in~.
27 May 2019: Wouter
- Fix double file close in tcp pipelined response code.
24 May 2019: Wouter
- Fix that spoolbuf is not used to store tcp pipelined response
between mesh send and callback end.
20 May 2019: Wouter
- Note that so-reuseport at extreme load is better turned off,
otherwise queries are not distributed evenly, on Linux 4.4.x.
16 May 2019: Wouter
- Fix #31: swig 4.0 and python module.
13 May 2019: Wouter
- Squelch log messages from tcp send about connection reset by peer.
They can be enabled with verbosity at higher values for diagnosing
network connectivity issues.
- Attempt to fix malformed tcp response.
9 May 2019: Wouter
- Revert fix for oss-fuzz, error is in that build script that
unconditionally includes .o files detected by configure, also
when the machine architecture uses different LIBOBJS files.
8 May 2019: Wouter
- Attempt to fix build failure in oss-fuzz because of reallocarray.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
Does not omit compile flags from commandline.
7 May 2019: Wouter
- Fix edns-subnet locks, in error cases the lock was not unlocked.
- Fix doxygen output error on readme markdown vignettes.
6 May 2019: Wouter
- Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
- Fix #30: AddressSanitizer finding in lookup3.c. This sets the
hash function to use a slower but better auditable code that does
not read beyond array boundaries. This makes code better security
checkable, and is better for security. It is fixed to be slower,
but not read outside of the array.
2 May 2019: Wouter
- contrib/fastrpz.patch updated for code changes, and with git diff.
- Fix .gitignore, add pythonmod and dnstap generated files.
And unit test generated files, and generated doc files.
1 May 2019: Wouter
- Update makedist for git.
- Nicer travis output for clang analysis.
- PR #16: XoT support, AXFR over TLS, turn it on with
master: <ip>#<authname> in unbound.conf. This uses TLS to
download the AXFR (or IXFR).
25 April 2019: Wouter
- Fix wrong query name in local zone redirect answers with a CNAME,
the copy of the local alias is in unpacked form.
18 April 2019: Ralph
- Scrub RRs from answer section when reusing NXDOMAIN message for
subdomain answers.
- For harden-below-nxdomain: do not consider a name to be non-exitent
when message contains a CNAME record.
18 April 2019: Wouter
- travis build file.
16 April 2019: Wouter
- Better braces in if statement in TCP fastopen code.
- iana portlist updated.
15 April 2019: Wouter
- Fix tls write event for read state change to re-call SSL_write and
not resume the TLS handshake.
11 April 2019: George
- Update python documentation for init_standard().
- Typos.
11 April 2019: Wouter
- Fix that auth zone uses correct network type for sockets for
SOA serial probes. This fixes that probes fail because earlier
probe addresses are unreachable.
- Fix that auth zone fails over to next master for timeout in tcp.
- Squelch SSL read and write connection reset by peer and broken pipe
messages. Verbosity 2 and higher enables them.
8 April 2019: Wouter
- Fix to use event_assign with libevent for thread-safety.
- verbose information about auth zone lookup process, also lookup
start, timeout and fail.
- Fix #17: Add python module example from Jan Janak, that is a
plugin for the Unbound DNS resolver to resolve DNS records in
multicast DNS [RFC 6762] via Avahi. The plugin communicates
with Avahi via DBus. The comment section at the beginning of
the file contains detailed documentation.
- Fix to wipe ssl ticket keys from memory with explicit_bzero,
if available.
5 April 2019: Wouter
- Fix to reinit event structure for accepted TCP (and TLS) sockets.
4 April 2019: Wouter
- Fix spelling error in log output for event method.
3 April 2019: Wouter
- Move goto label in answer_from_cache to the end of the function
where it is more visible.
- Fix auth-zone NSEC3 response for wildcard nodata answers,
include the closest encloser in the answer.
2 April 2019: Wouter
- Fix auth-zone NSEC3 response for empty nonterminals with exact
match nsec3 records.
- Fix for out of bounds integers, thanks to OSTIF audit. It is in
allocation debug code.
- Fix for auth zone nsec3 ent fix for wildcard nodata.
25 March 2019: Wouter
- Fix that tls-session-ticket-keys: "" on its own in unbound.conf
disables the tls session ticker key calls into the OpenSSL API.
- Fix crash if tls-servic-pem not filled in when necessary.
21 March 2019: Wouter
- Fix #4240: Fix whitespace cleanup in example.conf.
19 March 2019: Wouter
- add type CAA to libpyunbound (accessing libunbound from python).
18 March 2019: Wouter
- Add log message, at verbosity 4, that says the query is encrypted
with TLS, if that is enabled for the query.
- Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
7 March 2019: Wouter
- Fix for #4233: guard use of NDEBUG, so that it can be passed in
CFLAGS into configure.
5 March 2019: Wouter
- Tag release 1.9.1rc1. Which became 1.9.1 on 12 March 2019. Trunk
has 1.9.2 in development.
1 March 2019: Wouter
- output forwarder log in ssl_req_order test.
28 February 2019: Wouter
- Remove memory leak on pythonmod python2 script file init.
- Remove swig gcc8 python function cast warnings, they are ignored.
- Print correct module that failed when module-config is wrong.
27 February 2019: Wouter
- Fix #4229: Unbound man pages lack information, about access-control
order and local zone tags, and elements in views.
- Fix #14: contrib/unbound.init: Fix wrong comparison judgment
before copying.
- Fix for python module on Windows, fix fopen.
25 February 2019: Wouter
- Fix #4227: pair event del and add for libevent for tcp_req_info.
21 February 2019: Wouter
- Fix the error for unknown module in module-config is understandable,
and explains it was not compiled in and where to see the list.
- In example.conf explain where to put cachedb module in module-config.
- In man page and example config explain that most modules have to
be listed at the start of module-config.
20 February 2019: Wouter
- Fix pythonmod include and sockaddr_un ifdefs for compile on
Windows, and for libunbound.
18 February 2019: Wouter
- Print query name with ip_ratelimit exceeded log lines.
- Spaces instead of tabs in that log message.
- Print query name and IP address when domain rate limit exceeded.
14 February 2019: Wouter
- Fix capsforid canonical sort qsort callback.
11 February 2019: Wouter
- Note default for module-config in man page.
- Fix recursion lame test for qname minimisation asked queries,
that were not present in the set of prepared answers.
- Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
cert name matching, from man page.
- make depend, with newer gcc, nicer layout.
7 February 2019: Wouter
- Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
- Fix that qname minimisation does not skip a label when missing
nameserver targets need to be fetched.
- Fix #4225: clients seem to erroneously receive no answer with
DNS-over-TLS and qname-minimisation.
4 February 2019: Wouter
- Fix that log-replies prints the correct name for local-alias
names, for names that have a CNAME in local-data configuration.
It logs the original query name, not the target of the CNAME.
- Add local-zone type inform_redirect, which logs like type inform,
and redirects like type redirect.
- Perform canonical sort for 0x20 capsforid compare of replies,
this sorts rrsets in the authority and additional section before
comparison, so that out of order rrsets do not cause failure.
31 January 2019: Wouter
- Set ub_ctx_set_tls call signature in ltrace config file for
libunbound in contrib/libunbound.so.conf.
- improve documentation for tls-service-key and forward-first.
- #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
conditional section, fixes systemd builds, from Enrico Scholz.
- #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
still supports the set_id_callback previous API. And for 1.1.0
no locking callbacks are needed.
- #8: Fix OpenSSL without ENGINE support compilation.
- Wipe TLS session key data from memory on exit.
30 January 2019: Ralph
- Fix case in which query timeout can result in marking delegation
as edns_lame_known.
29 January 2019: Wouter
- Fix spelling of tls-ciphers in example.conf.in.
- Fix #4224: auth_xfr_notify.rpl test broken due to typo
- Fix locking for libunbound context setup with broken port config.
28 January 2019: Wouter
- ub_ctx_set_tls call for libunbound that enables DoT for the machines
set with ub_ctx_set_fwd. Patch from Florian Obser.
- Set build system for added call in the libunbound API.
- List example config for root zone copy locally hosted with auth-zone
as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
B root address.
- set version to 1.9.0 for release. And this was released with the
spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
development.
25 January 2019: Wouter
- Fix that tcp for auth zone and outgoing does not remove and
then gets the ssl read again applied to the deleted commpoint.
- updated contrib/fastrpz.patch to cleanly diff.
- no lock when threads disabled in tcp request buffer count.
- remove compile warnings from libnettle compile.
- output of newer lex 2.6.1 and bison 3.0.5.
24 January 2019: Wouter
- Newer aclocal and libtoolize used for generating configure scripts,
aclocal 1.16.1 and libtoolize 2.4.6.
- Fix unit test for python 3.7 new keyword 'async'.
- clang analysis fixes, assert arc4random buffer in init,
no check for already checked delegation pointer in iterator,
in testcode check for NULL packet matches, in perf do not copy
from NULL start list when growing capacity. Adjust host and file
only when present in test header read to please checker. In
testcode for unknown macro operand give zero result. Initialise the
passed argv array in test code. In test code add EDNS data
segment copy only when nonempty.
- Patch from Florian Obser fixes some compiler warnings:
include mini_event.h to have a prototype for mini_ev_cmp
include edns.h to have a prototype for apply_edns_options
sldns_wire2str_edns_keepalive_print is only called in the wire2str,
module declare it static to get rid of compiler warning:
no previous prototype for function
infra_find_ip_ratedata() is only called in the infra module,
declare it static to get rid of compiler warning:
no previous prototype for function
do not shadow local variable buf in authzone
auth_chunks_delete and az_nsec3_findnode are only called in the
authzone module, declare them static to get rid of compiler warning:
no previous prototype for function...
copy_rrset() is only called in the respip module, declare it
static to get rid of compiler warning:
no previous prototype for function 'copy_rrset'
no need for another variable "r"; gets rid of compiler warning:
declaration shadows a local variable in libunbound.c
no need for another variable "ns"; gets rid of compiler warning:
declaration shadows a local variable in iterator.c
- Moved includes and make depend.
23 January 2019: Wouter
- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
options for unbound.conf.
- Fixes for the patch, and man page entry.
- Fix configure to detect SSL_CTX_set_ciphersuites, for better
library compatibility when compiling.
- Patch for TLS session resumption from Manabu Sonoda,
enable with tls-session-ticket-keys in unbound.conf.
- Fixes for patch (includes, declarations, warnings). Free at end
and keep config options in order read from file to keep the first
one as the first one.
- Fix for IXFR fallback to reset counter when IXFR does not timeout.
22 January 2019: Wouter
- Fix space calculation for tcp req buffer size.
- Doc for stream-wait-size and unit test.
- unbound-control stats has mem.streamwait that counts TCP and TLS
waiting result buffers.
- Fix for #4219: secondaries not updated after serial change, unbound
falls back to AXFR after IXFR gives several timeout failures.
- Fix that auth zone after IXFR fallback tries the same master.
21 January 2019: Wouter
- Fix tcp idle timeout test, for difference in the tcp reply code.
- Unit test for tcp request reorder and timeouts.
- Unit tests for ssl out of order processing.
- Fix that multiple dns fragments can be carried in one TLS frame.
- Add stream-wait-size: 4m config option to limit the maximum
memory used by waiting tcp and tls stream replies. This avoids
a denial of service where these replies use up all of the memory.
17 January 2019: Wouter
- For caps-for-id fallback, use the whitelist to avoid timeout
starting a fallback sequence for it.
- increase mesh max activation count for capsforid long fetches.
16 January 2019: Ralph
- Get ready for the DNS flag day: remove EDNS lame procedure, do not
re-query without EDNS after timeout.
15 January 2019: Wouter
- In the out of order processing, reset byte count for (potential)
partial read.
- Review fixes in out of order processing.
14 January 2019: Wouter
- streamtcp option -a send queries consecutively and prints answers
as they arrive.
- Fix for out of order processing administration quit cleanup.
- unit test for tcp out of order processing.
11 January 2019: Wouter
- Initial commit for out-of-order processing for TCP and TLS.
9 January 2019: Wouter
- Log query name for looping module errors.
8 January 2019: Wouter
- Fix syntax in comment of local alias processing.
- Fix NSEC3 record that is returned in wildcard replies from
auth-zone zones with NSEC3 and wildcards.
7 January 2019: Wouter
- On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
and server tcp fastopen is enabled at compile time.
- Document interaction between the tls-upstream option in the server
section and forward-tls-upstream option in the forward-zone sections.
- Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
the patch adds a program used for fuzzing.
12 December 2018: Wouter
- Fix for crash in dns64 module if response is null.
10 December 2018: Wouter
- Fix config parser memory leaks.
- ip-ratelimit-factor of 1 allows all traffic through, instead of the
previous blocking everything.
- Fix for FreeBSD port make with dnscrypt and dnstap enabled.
- Fix #4206: support openssl 1.0.2 for TLS hostname verification,
alongside the 1.1.0 and later support that is already there.
- Fixup openssl 1.0.2 compile
6 December 2018: Wouter
- Fix dns64 allocation in wrong region for returned internal queries.
3 December 2018: Wouter
- Fix icon, no ragged edges and nicer resolutions available, for eg.
Win 7 and Windows 10 display.
- cache-max-ttl also defines upperbound of initial TTL in response.
30 November 2018: Wouter
- Patch for typo in unbound.conf man page.
- log-tag-queryreply: yes in unbound.conf tags the log-queries and
log-replies in the log file for easier log filter maintenance.
29 November 2018: Wouter
- iana portlist updated.
- Fix chroot auth-zone fix to remove chroot prefix.
- tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
updated. Trunk contains 1.8.3 in development.
Which became 1.8.3 on 11 december with only the dns64 fix of 6 dec.
Trunk then became 1.8.4 in development.
- Fix that unbound-checkconf does not complains if the config file
is not placed inside the chroot.
- Refuse to start with no ports.
- Remove clang analysis warnings.
28 November 2018: Wouter
- Fix leak in chroot fix for auth-zone.
- Fix clang analysis for outside directory build test.
27 November 2018: Wouter
- Fix DNS64 to not store intermediate results in cache, this avoids
other threads from picking up the wrong data. The module restores
the previous no_cache_store setting when the the module is finished.
- Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
- New and better fix for Fix #4193: Fix that prefetch failure does
not overwrite valid cache entry with SERVFAIL.
- auth-zone give SERVFAIL when expired, fallback activates when
expired, and this is documented in the man page.
- stat count SERVFAIL downstream auth-zone queries for expired zones.
- Put new logos into windows installer.
- Fix windows compile for new rrset roundrobin fix.
- Update contrib fastrpz patch for latest release.
26 November 2018: Wouter
- Fix to not set GLOB_NOSORT so the unbound.conf include: files are
sorted and in a predictable order.
- Fix #4193: Fix that prefetch failure does not overwrite valid cache
entry with SERVFAIL.
- Add unbound-control view_local_datas command, like local_datas.
- Fix that unbound-control can send file for view_local_datas.
22 November 2018: Wouter
- With ./configure --with-pyunbound --with-pythonmodule
PYTHON_VERSION=3.6 or with 2.7 unbound can compile and unit tests
succeed for the python module.
- pythonmod logs the python error and traceback on failure.
- ignore debug python module for test in doxygen output.
- review fixes for python module.
- Fix #4209: Crash in libunbound when called from getdns.
- auth zone zonefiles can be in a chroot, the chroot directory
components are removed before use.
- Fix that empty zonefile means the zonefile is not set and not used.
- make depend.
21 November 2018: Wouter
- Scrub NS records from NODATA responses as well.
20 November 2018: Wouter
- Scrub NS records from NXDOMAIN responses to stop fragmentation
poisoning of the cache.
- Add patch from Jan Vcelak for pythonmod,
add sockaddr_storage getters, add support for query callbacks,
allow raw address access via comm_reply and update API documentation.
- Removed compile warnings in pythonmod sockaddr routines.
19 November 2018: Wouter
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
option in unbound.conf.
6 November 2018: Ralph
- Bugfix min-client-subnet-ipv6
25 October 2018: Ralph
- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
25 October 2018: Wouter
- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
- Fix #4190: Please create a "ANY" deny option, adds the option
deny-any: yes in unbound.conf. This responds with an empty message
to queries of type ANY.
- Fix #4141: More randomness to rrset-roundrobin.
- Fix #4132: Openness/closeness of RANGE intervals in rpl files.
- Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
adds the option unknown-server-time-limit to unbound.conf that
can be increased to avoid the problem.
- remade makefile dependencies.
- Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
24 October 2018: Ralph
- Add markdel function to ECS slabhash.
- Limit ECS scope returned to client to the scope used for caching.
- Make lint like previous #4154 fix.
22 October 2018: Wouter
- Fix #4192: unbound-control-setup generates keys not readable by
group.
- check that the dnstap socket file can be opened and exists, print
error if not.
- Fix #4154: make ECS_MAX_TREESIZE configurable, with
the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
22 October 2018: Ralph
- Change fast-server-num default to 3.
8 October 2018: Ralph
- Add fast-server-permil and fast-server-num options.
- Deprecate low-rtt and low-rtt-permil options.
8 October 2018: Wouter
- Squelch log of failed to tcp initiate after TCP Fastopen failure.
5 October 2018: Wouter
- Squelch EADDRNOTAVAIL errors when the interface goes away,
this omits 'can't assign requested address' errors unless
verbosity is set to a high value.
- Set default for so-reuseport to no for FreeBSD. It is enabled
by default for Linux and DragonFlyBSD. The setting can
be configured in unbound.conf to override the default.
- iana port update.
2 October 2018: Wouter
- updated contrib/fastrpz.patch to apply for this version
- dnscrypt.c removed sizeof to get array bounds.
- Fix testlock code to set noreturn on error routine.
- Remove unused variable from contrib fastrpz/rpz.c and
remove unused diagnostic pragmas that themselves generate warnings
- clang analyze test is used only when assertions are enabled.
1 October 2018: Wouter
- tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with
fastrpz.patch fix included. Trunk has 1.8.2 in development.
27 September 2018: Wouter
- Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
qname minimisation with a forwarder when connectivity has issues
from rejecting responses.
25 September 2018: Wouter
- Perform TLS SNI indication of the host that is being contacted
for DNS over TLS service. It sets the configured tls auth name.
This is useful for hosts that apart from the DNS over TLS services
also provide other (web) services.
- Fix #4149: Add SSL cleanup for tcp timeout.
17 September 2018: Wouter
- Fix compile on Mac for unbound, provide explicit_bzero when libc
does not have it.
- Fix unbound for openssl in FIPS mode, it uses the digests with
the EVP call contexts.
- Fix that with harden-below-nxdomain and qname minisation enabled
some iterator states for nonresponsive domains can get into a
state where they waited for an empty list.
- Stop UDP to TCP failover after timeouts that causes the ping count
to be reset by the TCP time measurement (that exists for TLS),
because that causes the UDP part to not be measured as timeout.
- Fix #4156: Fix systemd service manager state change notification.
13 September 2018: Wouter
- Fix seed for random backup code to use explicit zero when wiped.
- exit log routine is annotated as noreturn function.
- free memory leaks in config strlist and str2list insert functions.
- do not move unused argv variable after getopt.
- Remove unused if clause in testcode.
- in testcode, free async ids, initialise array, and check for null
pointer during test of the test. And use exit for return to note
irregular program stop.
- Free memory leak in config strlist append.
- make sure nsec3 comparison salt is initialized.
- unit test has clang analysis.
- remove unused variable assignment from iterator scrub routine.
- check for null in delegation point during iterator refetch
in forward zone.
- neater pointer cast in libunbound context quit routine.
- initialize statistics totals for printout.
- in authzone check that node exists before adding rrset.
- in unbound-anchor, use readwrite memory BIO.
- assertion in autotrust that packed rrset is formed correctly.
- Fix memory leak when message parse fails partway through copy.
- remove unused udpsize assignment in message encode.
- nicer bio free code in unbound-anchor.
- annotate exit functions with noreturn in unbound-control.
11 September 2018: Wouter
- Fixed unused return value warnings in contrib/fastrpz.patch for
asprintf.
- Fix to squelch respip warning in unit test, it is printed at
higher verbosity settings.
- Fix spelling errors.
- Fix initialisation in remote.c
10 September 2018: Wouter
- 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
- iana port update.
5 September 2018: Wouter
- Fix spelling error in header, from getdns commit by Andreas Gelmini.
4 September 2018: Ralph
- More explicitly mention the type of ratelimit when applying
ip-ratelimit.
4 September 2018: Wouter
- Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
31 August 2018: Wouter
- Disable minimal-responses in subnet unit tests.
30 August 2018: Wouter
- Fix that a local-zone with a local-zone-type that is transparent
in a view with view-first, makes queries check for answers from the
local-zones defined outside of views.
28 August 2018: Ralph
- Disable minimal-responses in ipsecmod unit tests.
- Added serve-expired-ttl and serve-expired-ttl-reset options.
27 August 2018: Wouter
- Set defaults to yes for a number of options to increase speed and
resilience of the server. The so-reuseport, harden-below-nxdomain,
and minimal-responses options are enabled by default. They used
to be disabled by default, waiting to make sure they worked. They
are enabled by default now, and can be disabled explicitly by
setting them to "no" in the unbound.conf config file. The reuseport
and minimal options increases speed of the server, and should be
otherwise harmless. The harden-below-nxdomain option works well
together with the recently default enabled qname minimisation, this
causes more fetches to use information from the cache.
- next release is called 1.8.0.
- Fix lintflags for lint on FreeBSD.
22 August 2018: George
- #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
gives access to reply information for the client's communication
point when the callback is called before the mesh state (modules).
Changes to C and Python's inplace_callback signatures were also
necessary.
21 August 2018: Wouter
- log-local-actions: yes option for unbound.conf that logs all the
local zone actions, a patch from Saksham Manchanda (Secure64).
- #4146: num.query.subnet and num.query.subnet_cache counters.
- Fix only misc failure from log-servfail when val-log-level is not
enabled.
17 August 2018: Ralph
- Fix classification for QTYPE=CNAME queries when QNAME minimisation is
enabled.
17 August 2018: Wouter
- Set libunbound to increase current, because the libunbound change
to the event callback function signature. That needs programs,
that use it, to recompile against the new header definition.
- print servfail info to log as error.
- added more servfail printout statements, to the iterator.
- log-servfail: yes prints log lines that say why queries are
returning SERVFAIL to clients.
16 August 2018: Wouter
- Fix warning on compile without threads.
- Fix contrib/fastrpz.patch.
15 August 2018: Wouter
- Fix segfault in auth-zone read and reorder of RRSIGs.
14 August 2018: Wouter
- Fix that printout of error for cycle targets is a verbosity 4
printout and does not wrongly print it is a memory error.
- Upgraded crosscompile script to include libunbound DLL in the
zipfile.
10 August 2018: Wouter
- Fix #4144: dns64 module caches wrong (negative) information.
9 August 2018: Wouter
- unbound-checkconf checks if modules exist and prints if they are
not compiled in the name of the wrong module.
- document --enable-subnet in doc/README.
- Patch for stub-no-cache and forward-no-cache options that disable
caching for the contents of that stub or forward, for when you
want immediate changes visible, from Bjoern A. Zeeb.
7 August 2018: Ralph
- Make capsforid fallback QNAME minimisation aware.
7 August 2018: Wouter
- Fix #4142: unbound.service.in: improvements and fixes.
Add unit dependency ordering (based on systemd-resolved).
Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
about missing privileges during startup). Add 'AF_INET6' to
'RestrictAddressFamilies' (without it IPV6 can't work). From
Guido Shanahan.
- Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
This limits the number of simultaneous TCP client connections
from a nominated netblock.
- make depend, yacc, lex, doc, headers. And log the limit exceeded
message only on high verbosity, so as to not spam the logs when
it is busy.
6 August 2018: Wouter
- Fix for #4136: Fix to unconditionally call destroy in daemon.c.
3 August 2018: George
- Expose if a query (or a subquery) was ratelimited (not src IP
ratelimiting) to libunbound under 'ub_result.was_ratelimited'.
This also introduces a change to 'ub_event_callback_type' in
libunbound/unbound-event.h.
- Tidy pylib tests.
3 August 2018: Wouter
- Revert previous change for #4136: because it introduces build
problems.
- New fix for #4136: This one ignores lex without without
yylex_destroy.
1 August 2018: Wouter
- Fix to remove systemd sockaddr function check, that is not
always present. Make socket activation more lenient. But not
different when socket activation is not used.
- iana port list update.
31 July 2018: Wouter
- Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
- Sort out test runs when the build directory isn't the project
root directory.
- Add config tcp-idle-timeout (default 30s). This applies to
client connections only; the timeout on TCP connections upstream
is unaffected.
- Error if EDNS Keepalive received over UDP.
- Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
and implement option in client responses.
- Correct and expand manual page entries for keepalive and idle timeout.
- Implement progressive backoff of TCP idle/keepalive timeout.
- Fix 'make depend' to work when build dir is not project root.
- Add delay parameter to streamtcp, -d secs.
To be used when testing idle timeout.
- From Wouter: make depend, the dependencies in the patches did not
apply cleanly. Also remade yacc and lex.
- Fix mesh.c incompatible pointer pass.
- Please doxygen so it passes.
- Fix #4139: Fix unbound-host leaks memory on ANY.
30 July 2018: Wouter
- Fix #4136: insufficiency from mismatch of FLEX capability between
released tarball and build host.
27 July 2018: Wouter
- Fix man page, say that chroot is enabled by default.
26 July 2018: Wouter
- Fix #4135: 64-bit Windows Installer Creates Entries Under The
Wrong Registry Key, reported by Brian White.
23 July 2018: Wouter
- Fix use-systemd readiness signalling, only when use-systemd is yes
and not in signal handler.
20 July 2018: Wouter
- Fix #4130: print text describing -dd and unbound-checkconf on
config file read error at startup, the errors may have been moved
away by the startup process.
- Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
19 July 2018: Wouter
- Fix #4129 unbound-control error message with wrong cert permissions
is too cryptic.
17 July 2018: Wouter
- Fix #4127 unbound -h does not list -p help.
- Print error if SSL name verification configured but not available
in the ssl library.
- Fix that ratelimit and ip-ratelimit are applied after reload of
changed config file.
- Resize ratelimit and ip-ratelimit caches if changed on reload.
16 July 2018: Wouter
- Fix qname minimisation NXDOMAIN validation lookup failures causing
error_supers assertion fails.
- Squelch can't bind socket errors with Permission denied unless
verbosity is 4 or higher, for UDP outgoing sockets.
12 July 2018: Wouter
- Fix to improve systemd socket activation code file descriptor
assignment.
- Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
easily changed to adjust default rtt assumptions.
10 July 2018: Wouter
- Note in documentation that the cert name match code needs
OpenSSL 1.1.0 or later to be enabled.
6 July 2018: Wouter
- Fix documentation ambiguity for tls-win-cert in tls-upstream and
forward-tls-upstream docs.
- iana port update.
- Note RFC8162 support. SMIMEA record type can be read in by the
zone record parser.
- Fix round robin for failed addresses with prefer-ip6: yes
4 July 2018: Wouter
- Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
if DNSSEC is not enabled. New option -R allows fallback from
resolv.conf to direct queries.
3 July 2018: Wouter
- Better documentation for unblock-lan-zones and insecure-lan-zones
config statements.
- Fix permission denied printed for auth zone probe random port nrs.
2 July 2018: Wouter
- Fix checking for libhiredis printout in configure output.
- Fix typo on man page in ip-address description.
- Update libunbound/python/examples/dnssec_test.py example code to
also set the 20326 trust anchor for the root in the example code.
29 June 2018: Wouter
- dns64-ignore-aaaa: config option to list domain names for which the
existing AAAA is ignored and dns64 processing is used on the A
record.
28 June 2018: Wouter
- num.queries.tls counter for queries over TLS.
- log port number with err_addr logs.
27 June 2018: Wouter
- #4109: Fix that package config depends on python unconditionally.
- Patch, do not export python from pkg-config, from Petr Menšík.
26 June 2018: Wouter
- Partial fix for permission denied on IPv6 address on FreeBSD.
- Fix that auth-zone master reply with current SOA serial does not
stop scan of masters for an updated zone.
- Fix that auth-zone does not start the wait timer without checking
if the wait timer has already been started.
21 June 2018: Wouter
- #4108: systemd reload hang fix.
- Fix usage printout for unbound-host, hostname has to be last
argument on BSDs and Windows.
19 June 2018: Wouter
- Fix for unbound-control on Windows and set TCP socket parameters
more closely.
This fix is part of 1.7.3.
- Windows example service.conf edited with more windows specific
configuration.
- Fix windows unbound-control no cert bad file descriptor error.
This fix is part of 1.7.3.
18 June 2018: Wouter
- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
This fix is part of 1.7.3rc2.
- Fix unbound-checkconf for control-use-cert.
This fix is part of 1.7.3.
15 June 2018: Wouter
- tag for 1.7.3rc1.
- trunk has 1.7.4.
- unbound-control auth_zone_reload _zone_ option rereads the zonefile.
- unbound-control auth_zone_transfer _zone_ option starts the probe
sequence for a master to transfer the zone from and transfers when
a new zone version is available.
14 June 2018: Wouter
- #4103: Fix that auth-zone does not insist on SOA record first in
file for url downloads.
- Fix that first control-interface determines if TLS is used. Warn
when IP address interfaces are used without TLS.
- Fix nettle compile.
12 June 2018: Ralph
- Don't count CNAME response types received during qname minimisation as
query restart.
12 June 2018: Wouter
- #4102 for NSD, but for Unbound. Named unix pipes do not use
certificate and key files, access can be restricted with file and
directory permissions. The option control-use-cert is no longer
used, and ignored if found in unbound.conf.
- Rename tls-additional-ports to tls-additional-port, because every
line adds one port.
- Fix buffer size warning in unit test.
- remade dependencies in the Makefile.
6 June 2018: Wouter
- Patch to fix openwrt for mac os build darwin detection in configure.
5 June 2018: Wouter
- Fix crash if ratelimit taken into use with unbound-control
instead of with unbound.conf.
4 June 2018: Wouter
- Fix deadlock caused by incoming notify for auth-zone.
- tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
trunk is 1.7.3 in development from this point.
- #4100: Fix stub reprime when it becomes useless.
1 June 2018: Wouter
- Rename additional-tls-port to tls-additional-ports.
The older name is accepted for backwards compatibility.
30 May 2018: Wouter
- Patch from Syzdek: Add ability to ignore RD bit and treat all
requests as if the RD bit is set.
29 May 2018: Wouter
- in compat/arc4random call getentropy_urandom when getentropy fails
with ENOSYS.
- Fix that fallback for windows port.
28 May 2018: Wouter
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections. It can be used instead
of the tls-cert-bundle option, or with it to add certificates.
25 May 2018: Wouter
- For TCP and TLS connections that don't establish, perform address
update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
24 May 2018: Wouter
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage
inside libunbound), when ssl upstream or a cert-bundle is configured.
23 May 2018: Wouter
- Use accept4 to speed up incoming TCP (and TLS) connections,
available on Linux, FreeBSD and OpenBSD.
17 May 2018: Ralph
- Qname minimisation default changed to yes.
15 May 2018: Wouter
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
11 May 2018: Wouter
- Fix contrib/libunbound.pc for libssl libcrypto references,
from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
7 May 2018: Wouter
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
3 May 2018: Wouter
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
2 May 2018: Wouter
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
1 May 2018: Wouter
- Fix that unbound-control reload frees the rrset keys and returns
the memory pages to the system.
30 April 2018: Wouter
- Fix spelling error in man page and note defaults as no instead of
off.
26 April 2018: Wouter
- Fix for crash in daemon_cleanup with dnstap during reload,
from Saksham Manchanda.
- Also that for dnscrypt.
- tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
is from here 1.7.2 in development.
25 April 2018: Ralph
- Fix memory leak when caching wildcard records for aggressive NSEC use
24 April 2018: Wouter
- Fix contrib/fastrpz.patch for this release.
- Fix auth https for libev.
24 April 2018: Ralph
- Added root-key-sentinel support
23 April 2018: Wouter
- makedist uses bz2 for expat code, instead of tar.gz.
- Fix #4092: libunbound: use-caps-for-id lacks colon in
config_set_option.
- auth zone http download stores exact copy of downloaded file,
including comments in the file.
- Fix sldns parse failure for CDS alternate delete syntax empty hex.
- Attempt for auth zone fix; add of callback in mesh gets from
callback does not skip callback of result.
- Fix cname classification with qname minimisation enabled.
- list_auth_zones unbound-control command.
20 April 2018: Wouter
- man page documentation for dns-over-tls forward-addr '#' notation.
- removed free from failed parse case.
- Fix #4091: Fix that reload of auth-zone does not merge the zonefile
with the previous contents.
- Delete auth zone when removed from config.
19 April 2018: Wouter
- Can set tls authentication with forward-addr: IP#tls.auth.name
And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
such as forward-addr: 9.9.9.9@853#dns.quad9.net or
1.1.1.1@853#cloudflare-dns.com
- Fix #658: unbound using TLS in a forwarding configuration does not
verify the server's certificate (RFC 8310 support).
- For addr with #authname and no @port notation, the default is 853.
18 April 2018: Wouter
- Fix auth-zone retry timer to be on schedule with retry timeout,
with backoff. Also time a refresh at the zone expiry.
17 April 2018: Wouter
- auth zone notify work.
- allow-notify: config statement for auth-zones.
- unit test for allow-notify
16 April 2018: Wouter
- Fix auth zone target lookup iterator.
- auth zone notify with prefix
- auth zone notify work.
13 April 2018: Wouter
- Fix for max include depth for authzones.
- Fix memory free on fail for $INCLUDE in authzone.
- Fix that an internal error to look up the wrong rr type for
auth zone gets stopped, before trying to send there.
- auth zone notify work.
10 April 2018: Ralph
- num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
statistics counters.
10 April 2018: Wouter
- documentation for low-rtt and low-rtt-pct.
- auth zone notify work.
9 April 2018: Wouter
- Fix that flush_zone sets prefetch ttl expired, so that with
serve-expired enabled it'll start prefetching those entries.
- num.query.authzone.up and num.query.authzone.down statistics counters.
- Fix downstream auth zone, only fallback when auth zone fails to
answer and fallback is enabled.
- Accept both option names with and without colon for get_option
and set_option.
- low-rtt and low-rtt-pct in unbound.conf enable the server selection
of fast servers for some percentage of the time.
5 April 2018: Wouter
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
tls_choose_sigalg routine does not allow the ciphers for the pipe,
so use TLSv1.2.
- ED448 support.
3 April 2018: Wouter
- Fix #4043: make test fails due to v6 presentation issue in macOS.
- Fix unable to resolve after new WLAN connection, due to auth-zone
failing with a forwarder set. Now, auth-zone is only used for
answers (not referrals) when a forwarder is set.
29 March 2018: Ralph
- Check "result" in dup_all(), by Florian Obser.
23 March 2018: Ralph
- Fix unbound-control get_option aggressive-nsec
21 March 2018: Ralph
- Do not use cached NSEC records to generate negative answers for
domains under DNSSEC Negative Trust Anchors.
19 March 2018: Wouter
- iana port update.
16 March 2018: Wouter
- corrected a minor typo in the changelog.
- move htobe64/be64toh portability code to cachedb.c.
15 March 2018: Wouter
- Add --with-libhiredis, unbound support for a new cachedb backend
that uses a Redis server as the storage. This implementation
depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
And unbound should be built with both --enable-cachedb and
--with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
should exist). Patch from Jinmei Tatuya (Infoblox).
- Fix #3817: core dump happens in libunbound delete, when queued
servfail hits deleted message queue.
- Create additional tls service interfaces by opening them on other
portnumbers and listing the portnumbers as additional-tls-port: nr.
13 March 2018: Wouter
- Fix typo in documentation.
- Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
flushed with serve-expired on.
12 March 2018: Wouter
- Added documentation for aggressive-nsec: yes.
- tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
now has 1.7.1 in development.
- Fix #3727: Protocol name is TLS, options have been renamed but
documentation is not consistent.
- Check IXFR start serial.
9 March 2018: Wouter
- Fix #3598: Fix swig build issue on rhel6 based system.
configure --disable-swig-version-check stops the swig version check.
8 March 2018: Wouter
- tag 1.7.0rc2.
7 March 2018: Wouter
- Fixed contrib/fastrpz.patch, even though this already applied
cleanly for me, now also for others.
- patch to log creates keytag queries, from A. Schulze.
- patch suggested by Debian lintian: allow to -> allow one to, from
A. Schulze.
- Attempt to remove warning about trailing whitespace.
6 March 2018: Wouter
- Reverted fix for #3512, this may not be the best way forward;
although it could be changed at a later time, to stay similar to
other implementations.
- svn trunk contains 1.7.0, this is the number for the next release.
- Fix for windows compile.
- tag 1.7.0rc1.
5 March 2018: Wouter
- Fix to check define of DSA for when openssl is without deprecated.
- iana port update.
- Fix #3582: Squelch address already in use log when reuseaddr option
causes same port to be used twice for tcp connections.
27 February 2018: Wouter
- Fixup contrib/fastrpz.patch so that it applies.
- Fix compile without threads, and remove unused variable.
- Fix compile with staticexe and python module.
- Fix nettle compile.
22 February 2018: Ralph
- Save wildcard RRset from answer with original owner for use in
aggressive NSEC.
21 February 2018: Wouter
- Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
when there is a CNAME loop.
- Fix validation for CNAME loops. When it detects a cname loop,
by finding the cname, cname in the existing list, it returns
the partial result with the validation result up to then.
- more robust cachedump rrset routine.
19 February 2018: Wouter
- Fix #3505: Documentation for default local zones references
wrong RFC.
- Fix #3494: local-zone noview can be used to break out of the view
to the global local zone contents, for queries for that zone.
- Fix for more maintainable code in localzone.
16 February 2018: Wouter
- Fixes for clang static analyzer, the missing ; in
edns-subnet/addrtree.c after the assert made clang analyzer
produce a failure to analyze it.
13 February 2018: Ralph
- Aggressive NSEC tests
13 February 2018: Wouter
- tls-cert-bundle option in unbound.conf enables TLS authentication.
- iana port update.
12 February 2018: Wouter
- Unit test for auth zone https url download.
12 February 2018: Ralph
- Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
- Processed aggressive NSEC code review remarks Wouter
8 February 2018: Ralph
- Aggressive use of NSEC implementation. Use cached NSEC records to
generate NXDOMAIN, NODATA and positive wildcard answers.
8 February 2018: Wouter
- iana port update.
- auth zone url config.
5 February 2018: Wouter
- Fix #3451: dnstap not building when you have a separate build dir.
And removed protoc warning, set dnstap.proto syntax to proto2.
- auth-zone provides a way to configure RFC7706 from unbound.conf,
eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
fallback-enabled: yes and masters or a zonefile with data.
2 February 2018: Wouter
- Fix unfreed locks in log and arc4random at exit of unbound.
- unit test with valgrind
- Fix lock race condition in dns cache dname synthesis.
- lock subnet new item before insertion to please checklocks,
no modification of critical regions outside of lock region.
1 February 2018: Wouter
- fix unaligned structure making a false positive in checklock
unitialised memory.
29 January 2018: Ralph
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
25 January 2018: Wouter
- ltrace.conf file for libunbound in contrib.
23 January 2018: Wouter
- Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
for startup scripts to get the full pathname(s) of anchor file(s).
- Print fatal errors about remote control setup before log init,
so that it is printed to console.
22 January 2018: Wouter
- Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
also recognized and means the same. Also for tls-port,
tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
the middle of a cname chain, a result without the DNAME could
be returned.
19 January 2018: Wouter
- tag 1.6.8 for release with CVE fix.
- trunk has 1.6.9 with fix and previous commits.
- patch for CVE-2017-15105: vulnerability in the processing of
wildcard synthesized NSEC records.
- iana port update.
- make depend: code dependencies updated in Makefile.
4 January 2018: Ralph
- Copy query and correctly set flags on REFUSED answers when cache
snooping is not allowed.
3 January 2018: Ralph
- Fix queries being leaked above stub when refetching glue.
2 January 2017: Wouter
- Fix that DS queries with referral replies are answered straight
away, without a repeat query picking the DS from cache.
The correct reply should have been an answer, the reply is fixed
by the scrubber to have the answer in the answer section.
- Remove clang optimizer disable,
Fix that expiration date checks don't fail with clang -O2.
15 December 2017: Wouter
- Fix timestamp failure because of clang optimizer failure, by
disabling -O2 when the compiler --version is clang.
- iana port update.
- Also disable -flto for clang, to make incep-expi signature check
work.
12 December 2017: Ralph
- Fix qname-minimisation documentation (A QTYPE, not NS)
12 December 2017: Wouter
- authzone work, transfer connect.
7 December 2017: Ralph
- Check whether --with-libunbound-only is set when using --with-nettle
or --with-nss.
4 December 2017: Wouter
- Fix link failure on OmniOS.
1 December 2017: Wouter
- auth zone work.
30 November 2017: Wouter
- Fix #3299 - forward CNAME daisy chain is not working
14 November 2017: Wouter
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
set for stub zone. It no longer searches for DNSSEC information.
- auth xfer work on probe timer and lookup.
13 November 2017: Wouter
- Fix #2801: Install libunbound.pc.
- Fix qname minimisation to send AAAA queries at zonecut like type A.
- reverted AAAA change.
7 November 2017: Wouter
- Fix #2492: Documentation libunbound.
3 November 2017: Wouter
- Fix #2362: TLS1.3/openssl-1.1.1 not working.
- Fix #2034 - Autoconf and -flto.
- Fix #2141 - for libsodium detect lack of entropy in chroot, print
a message and exit.
2 November 2017: Wouter
- Fix #1913: ub_ctx_config is under circumstances thread-safe.
- make ip-transparent option work on OpenBSD.
31 October 2017: Wouter
- Document that errno is left informative on libunbound config read
fail.
- lexer output.
- iana port update.
25 October 2017: Ralph
- Fixed libunbound manual typo.
- Fix #1949: [dnscrypt] make provider name mismatch more obvious.
- Fix #2031: Double included headers
24 October 2017: Ralph
- Update B root ipv4 address.
19 October 2017: Wouter
- authzone work, probe timer setup.
18 October 2017: Wouter
- lint for recent authzone commit.
17 October 2017: Wouter
- Fix #1749: With harden-referral-path: performance drops, due to
circular dependency in NS and DS lookups.
- [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
duplicates
- [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
from Manu Bretelle.
This option allows handling multiple cert/key pairs while only
distributing some of them.
In order to reliably match a client magic with a given key without
strong assumption as to how those were generated, we need both key and
cert. Likewise, in order to know which ES version should be used.
On the other hand, when rotating a cert, it can be desirable to only
serve the new cert but still be able to handle clients that are still
using the old certs's public key.
The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
publish the cert as part of the DNS's provider_name's TXT answer.
- Better documentation for cache-max-negative-ttl.
- Work on local root zone code.
10 October 2017: Wouter
- tag 1.6.7
- trunk has version 1.6.8.
6 October 2017: Wouter
- Fix spelling in unbound-control man page.
5 October 2017: Wouter
- Fix trust-anchor-signaling works in libunbound.
- Fix some more crpls in testdata for different signaling default.
- tag 1.6.7rc1
5 October 2017: Ralph
- Set trust-anchor-signaling default to yes
- Use RCODE from A query on DNS64 synthesized answer.
2 October 2017: Wouter
- Fix param unused warning for windows exportsymbol compile.
25 September 2017: Ralph
- Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
(by Danilo G. Baio).
21 September 2017: Ralph
- Log name of looping module
19 September 2017: Wouter
- use a cachedb answer even if it's "expired" when serve-expired is yes
(patch from Jinmei Tatuya).
- trigger refetching of the answer in that case (this will bypass
cachedb lookup)
- allow storing a 0-TTL answer from cachedb in the in-memory message
cache when serve-expired is yes
- Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
18 September 2017: Ralph
- Fix #1400: allowing use of global cache on ECS-forwarding unless
always-forward.
18 September 2017: Wouter
- tag 1.6.6 (is 1.6.6rc2)
- Fix that looping modules always stop the query, and don't pass
control.
- Fix #1435: Please allow UDP to be disabled separately upstream and
downstream.
- Fix #1440: [dnscrypt] client nonce cache.
15 September 2017: Wouter
- Fix unbound-host to report error for DNSSEC state of failed lookups.
- Spelling fixes, from Josh Soref.
13 September 2017: Wouter
- tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
12 September 2017: Wouter
- Add dns64 for client-subnet in unbound-checkconf.
4 September 2017: Ralph
- Fix #1412: QNAME minimisation strict mode not honored
- Fix #1434: Fix windows openssl 1.1.0 linking.
4 September 2017: Wouter
- tag 1.6.6rc1
- makedist fix for windows binaries, with openssl 1.1.0 windres fix,
and expat 2.2.4 install target fix.
1 September 2017: Wouter
- Recommend 1472 buffer size in unbound.conf
31 August 2017: Wouter
- Fix #1424: cachedb:testframe is not thread safe.
- For #1417: escape ; in dnscrypt tests.
- but reverted that, tests fails with that escape.
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
dnscrypt is not enabled. And cache size configuration option.
- make depend
- Fix #1418: [ip ratelimit] initialize slabhash using
ip-ratelimit-slabs.
30 August 2017: Wouter
- updated contrib/fastrpz.patch to apply with configparser changes.
- Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
29 August 2017: Wouter
- Fix #1414: fix segfault on parse failure and log_replies.
- zero qinfo in handle_request, this zeroes local_alias and also the
qname member.
- new keys and certs for dnscrypt tests.
- fixup WKS test on buildhost without servicebyname.
28 August 2017: Wouter
- Fix #1415: patch to free dnscrypt environment on reload.
- iana portlist update
- Fix #1415: [dnscrypt] shared secret cache, patch from
Manu Bretelle.
- Small fixes for the shared secret cache patch.
- Fix WKS records on kvm autobuild host, with default protobyname
entries for udp and tcp.
23 August 2017: Wouter
- Fix #1407: Add ECS options check to unbound-checkconf.
- make depend
- Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
allocation failure.
22 August 2017: Wouter
- Fix install of trust anchor when two anchors are present, makes both
valid. Checks hash of DS but not signature of new key. This fixes
the root.key file if created when unbound is installed between
sep11 and oct11 2017.
- tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
- trunk version 1.6.6 in development.
- Fix issue on macOX 10.10 where TCP fast open is detected but not
implemented causing TCP to fail. The fix allows fallback to regular
TCP in this case and is also more robust for cases where connectx()
fails for some reason.
- Fix #1402: squelch invalid argument error for fd_set_block on windows.
10 August 2017: Wouter
- Patch to show DNSCrypt status in help output, from Carsten
Strotmann.
8 August 2017: Wouter
- Fix #1398: make cachedb secret configurable.
- Remove spaces from Makefile.
7 August 2017: Wouter
- Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
3 August 2017: Ralph
- Remove unused iter_env member (ip6arpa_dname)
- Do not reset rrset.bogus stats when called using stats_noreset.
- Added stats for queries that have been ratelimited by domain
recursion.
- Do not add rrset_bogus and query ratelimiting stats per thread, these
module stats are global.
3 August 2017: Wouter
- Fix #1394: mix of serve-expired and response-ip could cause a crash.
24 July 2017: Wouter
- upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
config.sub(2016-09-05).
- annotate case statement fallthrough for gcc 7.1.1.
- flex output from flex 2.6.1.
- snprintf of thread number does not warn about truncated string.
- squelch TCP fast open error on FreeBSD when kernel has it disabled,
unless verbosity is high.
- remove warning from windows compile.
- Fix compile with libnettle
- Fix DSA configure switch (--disable dsa) for libnettle and libnss.
- Fix #1365: Add Ed25519 support using libnettle.
- iana portlist update
17 July 2017: Wouter
- Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
- Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
With the -p option unbound does not create a pidfile.
11 July 2017: Wouter
- Fix #1344: RFC6761-reserved domains: test. and invalid.
- Redirect all localhost names to localhost address for RFC6761.
6 July 2017: Wouter
- Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
- Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
4 July 2017: Wouter
- Fix 1332: Bump verbosity of failed chown'ing of the control socket.
3 July 2017: Wouter
- Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
on.
- Fix #1331: libunbound segfault in threaded mode when context is
deleted.
- Fix pythonmod link line option flag.
- Fix openssl 1.1.0 load of ssl error strings from ssl init.
29 June 2017: Wouter
- Fix python example0 return module wait instead of error for pass.
- iana portlist update
- enhancement for hardened-tls for DNS over TLS. Removed duplicated
security settings.
27 June 2017: Wouter
- Tag 1.6.4 is created with the 1.6.4rc2 contents.
- Trunk contains 1.6.5, with changes from 26, 27 june.
- Remove signed unsigned warning from authzone.
- Fix that infra cache host hash does not change after reconfig.
26 June 2017: Wouter
- (for 1.6.5)
Better fixup of dnscrypt_cert_chacha test for different escapes.
- First fix for zero b64 and hex text zone format in sldns.
- unbound-control dump_infra prints port number for address if not 53.
23 June 2017: Wouter
- (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
22 June 2017: Wouter
- Tag 1.6.4rc2
22 June 2017: Ralph
- Added fastrpz patch to contrib
21 June 2017: Wouter
- Fix #1316: heap read buffer overflow in parse_edns_options.
20 June 2017: Wouter
- Fix warning in pythonmod under clang compiler.
- Tag 1.6.4rc1
- Fix lintian typo.
16 June 2017: Ralph
- Fix #1277: disable domain ratelimit by setting value to 0.
16 June 2017: Wouter
- Fix #1301: memory leak in respip and tests.
- Free callback in edns-subnetmod on exit and restart.
- Fix memory leak in sldns_buffer_new_frm_data.
- Fix memory leak in dnscrypt config read.
- Fix dnscrypt chacha cert support ifdefs.
- Fix dnscrypt chacha cert unit test escapes in grep.
- Remove asynclook tests that cause test and purifier problems.
- Fix to unlock view in view test.
15 June 2017: Wouter
- Fix stub zone queries leaking to the internet for
harden-referral-path ns checks.
- Fix query for refetch_glue of stub leaking to internet.
13 June 2017: Wouter
- Fix #1279: Memory leak on reload when python module is enabled.
- Fix #1280: Unbound fails assert when response from authoritative
contains malformed qname. When 0x20 caps-for-id is enabled, when
assertions are not enabled the malformed qname is handled correctly.
- 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
- More fixes in depth for buffer checks in 0x20 qname checks.
12 June 2017: Wouter
- Fix #1278: Incomplete wildcard proof.
8 June 2017: Ralph
- Added domain name based ECS whitelist.
8 June 2017: Wouter
- Detect chacha for dnscrypt at configure time.
- dnscrypt unit tests with chacha.
7 June 2017: Wouter
- Fix that unbound-control can set val_clean_additional and val_permissive_mode.
- Add dnscrypt XChaCha20 tests.
6 June 2017: Wouter
- Add an explicit type cast for TCP FASTOPEN fix.
- renumbering B-Root's IPv6 address to 2001:500:200::b.
- Fix #1275: cached data in cachedb is never used.
- Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
1 June 2017: Ralph
- Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
(from Manu Bretelle).
1 June 2017: Wouter
- Fix fastopen EPIPE fallthrough to perform connect.
31 May 2017: Ralph
- Also use global local-zones when there is a matching view that does
not have any local-zone specified.
31 May 2017: Wouter
- Fix #1273: cachedb.c doesn't compile with -Wextra.
- If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
30 May 2017: Ralph
- Fix #1269: inconsistent use of built-in local zones with views.
- Add defaults for new local-zone trees added to views using
unbound-control.
30 May 2017: Wouter
- Support for openssl EVP_DigestVerify.
- Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
29 May 2017: Wouter
- Fix assertion for low buffer size and big edns payload when worker
overrides udpsize.
26 May 2017: Ralph
- Added redirect-bogus.patch to contrib directory.
26 May 2017: Wouter
- Fix #1270: unitauth.c doesn't compile with higher warning level
and optimization
- exec_prefix is by default equal to prefix.
- printout localzone for duplicate local-zone warnings.
24 May 2017: Wouter
- authzone cname chain, no rrset duplicates, wildcard doesn't change
rrsets added for cname chain.
23 May 2017: Wouter
- first services/authzone check in, it compiles and reads and writes
zonefiles.
- iana portlist update
22 May 2017: Wouter
- Fix #1268: SIGSEGV after log_reopen.
18 May 2017: Wouter
- Fix #1265 to use /bin/kill.
- Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
and compatibility with BoringSSL.
17 May 2017: Wouter
- Fix #1265: contrib/unbound.service contains hardcoded path.
17 May 2017: George
- Use qstate's region for IPSECKEY rrset (ipsecmod).
16 May 2017: George
- Implemented opportunistic IPsec support module (ipsecmod).
- Some whitespace fixup.
16 May 2017: Wouter
- updated dependencies in the makefile.
- document trust-anchor-signaling in example config file.
- updated configure, dependencies and flex output.
- better module memory lookup, fix of unbound-control shm names for
module memory printout of statistics.
- Fix type AVC sldns rrdef.
12 May 2017: Wouter
- Adjust servfail by iterator to not store in cache when serve-expired
is enabled, to avoid overwriting useful information there.
- Fix queries for nameservers under a stub leaking to the internet.
9 May 2017: Ralph
- Add 'c' to getopt() in testbound.
- iana portlist update
8 May 2017: Wouter
- Fix tcp-mss failure printout text.
- Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
connect limited tcp connections. With the option tcp connections
can share the same source port (for different destinations).
2 May 2017: Ralph
- Added mesh_add_sub to add detached mesh entries.
- Use mesh_add_sub for key tag signaling query.
2 May 2017: Wouter
- Added test for leak of stub information.
- Fix sldns wire2str printout of RR type CAA tags.
- Fix sldns int16_data parse.
- Fix sldns parse and printout of TSIG RRs.
- sldns SMIMEA and AVC definitions, same as getdns definitions.
1 May 2017: Wouter
- Fix #1259: "--disable-ecdsa" argument overwritten
by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".
- iana portlist update
- Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
and fix that 64bit getting installed in C:\Program Files (x86).
26 April 2017: Ralph
- Implemented trust anchor signaling using key tag query.
26 April 2017: Wouter
- Based on #1257: check parse limit before t increment in sldns RR
string parse routine.
24 April 2017: Wouter
- unbound-checkconf -o allows query of dnstap config variables.
Also unbound-control get_option. Also for dnscrypt.
- trunk contains 1.6.3 version number (changes from 1.6.2 back from
when the 1.6.2rc1 tag has been created).
21 April 2017: Ralph
- Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
- iana portlist update
18 April 2017: Ralph
- Fix #1252: more indentation inconsistencies.
- Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
13 April 2017: Ralph
- Added ECS unit test (from Manu Bretelle).
- ECS documentation fix (from Manu Bretelle).
13 April 2017: Wouter
- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
- tag for 1.6.2rc1
- (for 1.6.3:) unbound.h exports the shm stats structures. They use
type long long and no ifdefs, and ub_ before the typenames.
12 April 2017: Wouter
- subnet mem value is available in shm, also when not enabled,
to make the struct easier to memmap by other applications,
independent of the configuration of unbound.
12 April 2017: Ralph
- Fix #1247: unbound does not shorten source prefix length when
forwarding ECS.
- Properly check for allocation failure in local_data_find_tag_datas.
- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
- Set SHM ECS memory usage to 0 when module not loaded.
11 April 2017: Ralph
- Display ECS module memory usage.
10 April 2017: Wouter
- harden-algo-downgrade: no also makes unbound more lenient about
digest algorithms in DS records.
10 April 2017: Ralph
- Remove ECS option after REFUSED answer.
- Fix small memory leak in edns_opt_copy_alloc.
- Respip dereference after NULL check.
- Zero initialize addrtree allocation.
- Use correct identifier for SHM destroy.
7 April 2017: George
- Fix pythonmod for cb changes.
- Some whitespace fixup.
7 April 2017: Ralph
- Unlock view in respip unit test
6 April 2017: Ralph
- Generalise inplace callback (de)registration
- (de)register inplace callbacks for module id
- No unbound-control set_option for ECS options
- Deprecated client-subnet-opcode config option
- Introduced client-subnet-always-forward config option
- Changed max-client-subnet-ipv6 default to 56 (as in RFC)
- Removed extern ECS config options
- module_restart_next now calls clear on all following modules
- Also create ECS module qstate on module_event_pass event
- remove malloc from inplace_cb_register
6 April 2017: Wouter
- Small fixup for documentation.
- iana portlist update
- Fix respip for braces when locks arent used.
- Fix pythonmod for cb changes.
4 April 2017: Wouter
- Fix #1244: document that use of chroot requires trust anchor file to
be under chroot.
- iana portlist update
3 April 2017: Ralph
- Do not add current time twice to TTL before ECS cache store.
- Do not touch rrset cache after ECS cache message generation.
- Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
3 April 2017: Wouter
- Fix #1217: Add metrics to unbound-control interface showing
crypted, cert request, plaintext and malformed queries (from
Manu Bretelle).
- iana portlist update
27 March 2017: Wouter
- Remove (now unused) event2 include from dnscrypt code.
24 March 2017: George
- Fix to prevent non-referal query from being cached as referal when the
no_cache_store flag was set.
23 March 2017: Wouter
- Fix #1239: configure fails to find python distutils if python
prints warning.
22 March 2017: Wouter
- Fix #1238: segmentation fault when adding through the remote
interface a per-view local zone to a view with no previous
(configured) local zones.
- Fix #1229: Systemd service sandboxing, options in wrong sections.
21 March 2017: Ralph
- Merge EDNS Client subnet implementation from feature branch into main
branch, using new EDNS processing framework.
21 March 2017: Wouter
- Fix doxygen for dnscrypt files.
20 March 2017: Wouter
- #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
enabled in the config file from Manu Bretelle.
- make depend, autoconf, remove warnings about statement before var.
- lru_demote and lruhash_insert_or_retrieve functions for getdns.
- fixup for lruhash (whitespace and header file comment).
- dnscrypt tests.
17 March 2017: Wouter
- Patch for view functionality for local-data-ptr from Björn Ketelaars.
- Fix #1237 - Wrong resolving in chain, for norec queries that get
SERVFAIL returned.
16 March 2017: Wouter
- Fix that SHM is not inited if not enabled.
- Add trustanchor.unbound CH TXT that gets a response with a number
of TXT RRs with a string like "example.com. 2345 1234" with
the trust anchors and their keytags.
- Fix that looped DNAMEs do not cause unbound to spend effort.
- trustanchor tags are sorted. reusable routine to fetch taglist.
13 March 2017: Wouter
- testbound understands Deckard MATCH rcode question answer commands.
- Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
of YXDOMAIN + query loop, reported by Petr Spacek.
10 March 2017: Wouter
- Fix #1234: shortening DNAME loop produces duplicate DNAME records
in ANSWER section.
9 March 2017: Wouter
- --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
DS records. NSEC3 is not disabled.
- fake-sha1 test option; print warning if used. To make unit tests.
- unbound-control list local zone and data commands listed in the
help output.
8 March 2017: Wouter
- make depend for build dependencies.
- swig version 2.0.1 required.
- fix enum conversion warnings
7 March 2017: Wouter
- Fix #1230: swig version 2.0.0 is required for pythonmod, with
1.3.40 it crashes when running repeatly unbound-control reload.
- Response actions based on IP address from Jinmei Tatuya (Infoblox).
6 March 2017: Wouter
- Fix #1229: Systemd service sandboxing in contrib/unbound.service.
- iana portlist update
28 February 2017: Ralph
- Fix testpkts.c, check if DO bit is set, not only if there is an OPT
record.
28 February 2017: Wouter
- For #1227: if we have sha256, set the cipher list to have no
known vulns.
27 February 2017: Wouter
- Fix #1227: Fix that Unbound control allows weak ciphersuits.
- Fix #1226: provide official 32bit binary for windows.
24 February 2017: Wouter
- include sys/time.h for new shm code on NetBSD.
23 February 2017: Wouter
- Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
redirect.
- Patch from Luiz Fernando Softov for Stats Shared Memory.
- unbound-control stats_shm command prints stats using shared memory,
which uses less cpu.
- make depend, autoconf, doxygen and lint fixed up.
22 February 2017: Wouter
- Fix #1224: Fix that defaults should not fall back to "Program Files
(x86) if Unbound is 64bit by default on windows.
21 February 2017: Wouter
- iana portlist update
16 February 2017: Wouter
- sldns updated for vfixed and buffer resize indication from getdns.
15 February 2017: Wouter
- sldns has ED25519 and ED448 algorithm number and name for display.
14 February 2017: Wouter
- tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
13 February 2017: Wouter
- Fix autoconf of systemd check for lack of pkg-config.
10 February 2017: Wouter
- Fix pythonmod for typedef changes.
- Fix dnstap for warning of set but not used.
- tag 1.6.1rc2.
9 February 2017: Wouter
- tag 1.6.1rc1.
8 February 2017: Wouter
- Fix for type name change and fix warning on windows compile.
7 February 2017: Wouter
- Include root trust anchor id 20326 in unbound-anchor.
6 February 2017: Wouter
- Fix compile on solaris of the fix to use $host detect.
4 February 2017: Wouter
- fix root_anchor test for updated icannbundle.pem lower certificates.
26 January 2017: Wouter
- Fix 1211: Fix can't enable interface-automatic if no IPv6 with
more helpful error message.
20 January 2017: Wouter
- Increase MAX_MODULE to 16.
19 January 2017: Wouter
- Fix to Rename ub_callback_t to ub_callback_type, because POSIX
reserves _t typedefs.
- Fix to rename internally used types from _t to _type, because _t
type names are reserved by POSIX.
- iana portlist update
12 January 2017: Wouter
- Fix to also block meta types 128 through to 248 with formerr.
- Fix #1206: Some view-related commands are missing from 'unbound-control -h'
9 January 2017: Wouter
- Fix #1202: Fix code comment that packed_rrset_data is not always
'packed'.
6 January 2017: Wouter
- Fix #1201: Fix missing unlock in answer_from_cache error condition.
5 January 2017: Wouter
- Fix to return formerr for queries for meta-types, to avoid
packet amplification if this meta-type is sent on to upstream.
- Fix #1184: Log DNS replies. This includes the same logging
information that DNS queries and response code and response size,
patch from Larissa Feng.
- Fix #1187: Source IP rate limiting, patch from Larissa Feng.
3 January 2017: Wouter
- configure --enable-systemd and lets unbound use systemd sockets if
you enable use-systemd: yes in unbound.conf.
Also there are contrib/unbound.socket and contrib/unbound.service:
systemd files for unbound, install them in /usr/lib/systemd/system.
Contributed by Sami Kerola and Pavel Odintsov.
- Fix reload chdir failure when also chrooted to that directory.
2 January 2017: Wouter
- Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
23 December 2016: Ralph
- Fix #1190: Do not echo back EDNS options in local-zone error response.
- iana portlist update
21 December 2016: Ralph
- Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
with Nettle
19 December 2016: Ralph
- Fix #1191: remove comment about view deletion.
15 December 2016: Wouter
- iana portlist update
- 64bit is default for windows builds.
- Fix inet_ntop and inet_pton warnings in windows compile.
14 December 2016: Wouter
- Fix #1178: attempt to fix setup error at end, pop result values
at end of install.
13 December 2016: Wouter
- Fix #1182: Fix Resource leak (socket), at startup.
- Fix unbound-control and ipv6 only.
9 December 2016: Wouter
- Fix #1176: stack size too small for Alpine Linux.
8 December 2016: Wouter
- Fix downcast warnings from visual studio in sldns code.
- tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
7 December 2016: Ralph
- Add DSA support for OpenSSL 1.1.0
- Fix remote control without cert for LibreSSL
6 December 2016: George
- Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four EDNS
option lists were added to module_qstate (module_qstate.edns_opts_*) to
store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
functions can be called just before replying with local data or Chaos,
replying from cache, replying with SERVFAIL, replying with a resolved
query, sending a query to a nameserver. The functions can inspect the
available data and maybe change response/query related data (i.e. append
EDNS options).
- Updated Python module for the above.
- Updated Python documentation.
5 December 2016: Ralph
- Fix #1173: differ local-zone type deny from unset
tag_actions element.
5 December 2016: Wouter
- Fix #1170: document that 'inform' local-zone uses local-data.
1 December 2016: Ralph
- hyphen as minus fix, by Andreas Schulze
30 November 2016: Ralph
- Added local-zones and local-data bulk addition and removal
functionality in unbound-control (local_zones, local_zones_remove,
local_datas and local_datas_remove).
- iana portlist update
29 November 2016: Wouter
- version 1.6.0 is in the development branch.
- braces in view.c around lock statements.
28 November 2016: Wouter
- new install-sh.
25 November 2016: Wouter
- Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
using no encryption over the unix socket.
22 Novenber 2016: Ralph
- Make access-control-tag-data RDATA absolute. This makes the RDATA
origin consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
subdomain of the NSEC owner.
- QNAME minimisation uses QTYPE=A, therefore always check cache for
this type in harden-below-nxdomain functionality.
- Added unit test for QNAME minimisation + harden below nxdomain
synergy.
22 November 2016: Wouter
- iana portlist update.
- Fix unit tests for DS hash processing for fake-dsa test option.
- patch from Dag-Erling Smorgrav that removes code that relies
on sbrk().
21 November 2016: Wouter
- Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
Underneath" for the harden-below-nxdomain option.
10 November 2016: Ralph
- Fix #1155: test status code of unbound-control in 04-checkconf,
not the status code from the tee command.
4 November 2016: Ralph
- Added stub-ssl-upstream and forward-ssl-upstream options.
4 November 2016: Wouter
- configure detects ssl security level API function in the autoconf
manner. Every function on its own, so that other libraries (eg.
LibreSSL) can develop their API without hindrance.
- Fix #1154: segfault when reading config with duplicate zones.
- Note that for harden-below-nxdomain the nxdomain must be secure,
this means nsec3 with optout is insufficient.
3 November 2016: Ralph
- Set OpenSSL security level to 0 when using aNULL ciphers.
3 November 2016: Wouter
- .gitattributes line for githubs code language display.
- log-identity: config option to set sys log identity, patch from
"Robin H. Johnson" <robbat2@gentoo.org>
2 November 2016: Wouter
- iana portlist update.
31 October 2016: Wouter
- Fix failure to build on arm64 with no sbrk.
- iana portlist update.
28 October 2016: Wouter
- Patch for server.num.zero_ttl stats for count of expired replies,
from Pavel Odintsov.
26 October 2016: Wouter
- Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
with the undocumented switch 'fake-dsa'. It logs a warning.
25 October 2016: Wouter
- Fix #1134: unbound-control set_option -- val-override-date: -1 works
immediately to ignore datetime, or back to 0 to enable it again.
The -- is to ignore the '-1' as an option flag.
24 October 2016: Wouter
- serve-expired config option: serve expired responses with TTL 0.
- g.root-servers.net has AAAA address.
21 October 2016: Wouter
- Ported tests for local_cname unit test to testbound framework.
20 October 2016: Wouter
- suppress compile warning in lex files.
- init lzt variable, for older gcc compiler warnings.
- fix --enable-dsa to work, instead of copying ecdsa enable.
- Fix DNSSEC validation of query type ANY with DNAME answers.
- Fixup query_info local_alias init.
19 October 2016: Wouter
- Fix #1130: whitespace in example.conf.in more consistent.
18 October 2016: Wouter
- Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet, from Jinmei Tatuya (Infoblox).
- Removed patch comments from acllist.c and msgencode.c
- Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
from Jinmei Tatuya (Infoblox).
- Fix #1125: unbound could reuse an answer packet incorrectly for
clients with different EDNS parameters, from Jinmei Tatuya.
- Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
- Added Requires line to libunbound.pc
- Please doxygen by modifying mesh.h
17 October 2016: Wouter
- Re-fix #839 from view commit overwrite.
- Fixup const void cast warning.
12 October 2016: Ralph
- Free view config elements.
11 October 2016: Ralph
- Added qname-minimisation-strict config option.
- iana portlist update.
- fix memoryleak logfile when in debug mode.
5 October 2016: Ralph
- Added views functionality.
- Fix #1117: spelling errors, from Robert Edmonds.
30 September 2016: Wouter
- Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
29 September 2016: Wouter
- Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
- Fix #839: Memory grows unexpectedly with large RPZ files.
- Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
- Fix #841: big local-zone's make it consume large amounts of memory.
27 September 2016: Wouter
- tag for 1.5.10 release
- trunk contains 1.5.11 in development.
- Fix dnstap relaying "random" messages instead of resolver/forwarder
responses, from Nikolay Edigaryev.
- Fix #836: unbound could echo back EDNS options in an error response.
20 September 2016: Wouter
- iana portlist update.
- Fix #835: fix --disable-dsa with nettle verify.
- tag for 1.5.10rc1 release.
15 September 2016: Wouter
- Fix 883: error for duplicate local zone entry.
- Test for openssl init_crypto and init_ssl functions.
15 September 2016: Ralph
- fix potential memory leak in daemon/remote.c and nullpointer
dereference in validator/autotrust.
- iana portlist update.
13 September 2016: Wouter
- Silenced flex-generated sign-unsigned warning print with gcc
diagnostic pragma.
- Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
9 September 2016: Wouter
- Fix #831: workaround for spurious fread_chk warning against petal.c
5 September 2016: Ralph
- Take configured minimum TTL into consideration when reducing TTL
to original TTL from RRSIG.
5 September 2016: Wouter
- Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
off-by-one typo, from Jinmei Tatuya (Infoblox).
- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
- Fix #828: missing type in access-control-tag-action redirect results
in NXDOMAIN.
2 September 2016: Wouter
- Fix compile with openssl 1.1.0 with api=1.1.0.
1 September 2016: Wouter
- RFC 7958 is now out, updated docs for unbound-anchor.
- Fix for compile without warnings with openssl 1.1.0.
- Fix #826: Fix refuse_non_local could result in a broken response.
- iana portlist update.
29 August 2016: Wouter
- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
Siewior.
- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
25 August 2016: Ralph
- Clarify local-zone-override entry in unbound.conf.5
25 August 2016: Wouter
- 64bit build option for makedist windows compile, -w64.
24 August 2016: Ralph
- Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
in each iteration in find_tag_datas().
- unbound.conf.5 entries for define-tag, access-control-tag,
access-control-tag-action, access-control-tag-data, local-zone-tag,
and local-zone-override.
23 August 2016: Wouter
- Fix #804: unbound stops responding after outage. Fixes queries
that attempt to wait for an empty list of subqueries.
- Fix #804: lower num_target_queries for iterator also for failed
lookups.
8 August 2016: Wouter
- Note that OPENPGPKEY type is RFC 7929.
4 August 2016: Wouter
- Fix #807: workaround for possible some "unused" function parameters
in test code, from Jinmei Tatuya.
3 August 2016: Wouter
- use sendmsg instead of sendto for TFO.
28 July 2016: Wouter
- Fix #806: wrong comment removed.
26 July 2016: Wouter
- nicer ratelimit-below-domain explanation.
22 July 2016: Wouter
- Fix #801: missing error condition handling in
daemon_create_workers().
- Fix #802: workaround for function parameters that are "unused"
without log_assert.
- Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
20 July 2016: Wouter
- Fix typo in unbound.conf.
18 July 2016: Wouter
- Fix #798: Client-side TCP fast open fails (Linux).
14 July 2016: Wouter
- TCP Fast open patch from Sara Dickinson.
- Fixed unbound.doxygen for 1.8.11.
7 July 2016: Wouter
- access-control-tag-data implemented. verbose(4) prints tag debug.
5 July 2016: Wouter
- Fix dynamic link of anchor-update.exe on windows.
- Fix detect of mingw for MXE package build.
- Fixes for 64bit windows compile.
- Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
--with-libunbound-only --with-nettle.
4 July 2016: Wouter
- For #787: prefer-ip6 option for unbound.conf prefers to send
upstream queries to ipv6 servers.
- Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
freebind to use 64bits of entropy for every query with random local
part.
30 June 2016: Wouter
- Document always_transparent, always_refuse, always_nxdomain types.
29 June 2016: Wouter
- Fix static compile on windows missing gdi32.
28 June 2016: Wouter
- Create a pkg-config file for libunbound in contrib.
27 June 2016: Wouter
- Fix #784: Build configure assumess that having getpwnam means there
is endpwent function available.
- Updated repository with newer flex and bison output.
24 June 2016: Ralph
- Possibility to specify local-zone type for an acl/tag pair
- Possibility to specify (override) local-zone type for a source address
block
16 June 2016: Ralph
- Decrease dp attempts at each QNAME minimisation iteration
16 June 2016: Wouter
- Fix tcp timeouts in tv.usec.
15 June 2016: Wouter
- TCP_TIMEOUT is specified in milliseconds.
- If more than half of tcp connections are in use, a shorter timeout
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
14 June 2016: Ralph
- QNAME minimisation unit test for dropped QTYPE=A queries.
14 June 2016: Wouter
- Fix 775: unbound-host and unbound-anchor crash on windows, ignore
null delete for wsaevent.
- Fix spelling in freebind option man page text.
- Fix windows link of ssl with crypt32.
- Fix 779: Union casting is non-portable.
- Fix 780: MAP_ANON not defined in HP-UX 11.31.
- Fix 781: prealloc() is an HP-UX system library call.
13 June 2016: Ralph
- Use QTYPE=A for QNAME minimisation.
- Keep track of number of time-outs when performing QNAME minimisation.
Stop minimising when number of time-outs for a QNAME/QTYPE pair is
more than three.
13 June 2016: Wouter
- Fix #778: unbound 1.5.9: -h segfault (null deref).
- Fix directory: fix for unbound-checkconf, it restores cwd.
10 June 2016: Wouter
- And delete service.conf.shipped on uninstall.
- In unbound.conf directory: dir immediately changes to that directory,
so that include: file below that is relative to that directory.
With chroot, make the directory an absolute path inside chroot.
- keep debug symbols in windows build.
- do not delete service.conf on windows uninstall.
- document directory immediate fix and allow EXECUTABLE syntax in it
on windows.
9 June 2016: Wouter
- Trunk is called 1.5.10 (with previous fixes already in there to 2
june).
- Revert fix for NetworkService account on windows due to breakage
it causes.
- Fix that windows install will not overwrite existing service.conf
file (and ignore gui config choices if it exists).
7 June 2016: Ralph
- Lookup localzones by taglist from acl.
- Possibility to lookup local_zone, regardless the taglist.
- Added local_zone/taglist/acl unit test.
7 June 2016: Wouter
- Fix #773: Non-standard Python location build failure with pyunbound.
- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
6 June 2016: Wouter
- Better help text from -h (from Ray Griffith).
- access-control-tag config directive.
- local-zone-override config directive.
- access-control-tag-action and access-control-tag-data config
directives.
- free acl-tags, acltag-action and acltag-data config lists during
initialisation to free up memory for more entries.
3 June 2016: Wouter
- Fix to not ignore return value of chown() in daemon startup.
2 June 2016: Wouter
- Fix libubound for edns optlist feature.
- Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
- Fix #752: retry resource temporarily unavailable on control pipe.
- un-document localzone tags.
- tag for release 1.5.9rc1.
And this also became release 1.5.9.
- Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
Program Files with (x86) appended.
- re-documented localzone tags in example.conf.
31 May 2016: Wouter
- Fix windows service to be created run with limited rights, as a
network service account, from Mario Turschmann.
- compat strsep implementation.
- generic edns option parse and store code.
- and also generic edns options for upstream messages (and replies).
after parse use edns_opt_find(edns.opt_list, LDNS_EDNS_NSID),
to insert use edns_opt_append(edns, region, code, len, bindata) on
the opt_list passed to send_query, or in edns_opt_inplace_reply.
30 May 2016: Wouter
- Fix time in case answer comes from cache in ub_resolve_event().
- Attempted fix for #765: _unboundmodule missing for python3.
27 May 2016: Wouter
- Fix #770: Small subgroup attack on DH used in unix pipe on localhost
if unbound control uses a unix local named pipe.
- Document write permission to directory of trust anchor needed.
- Fix #768: Unbound Service Sometimes Can Not Shutdown
Completely, WER Report Shown Up. Close handle before closing WSA.
26 May 2016: Wouter
- Updated patch from Charles Walker.
24 May 2016: Wouter
- disable-dnssec-lame-check config option from Charles Walker.
- remove memory leak from lame-check patch.
- iana portlist update.
23 May 2016: Wouter
- Fix #767: Reference to an expired Internet-Draft in
harden-below-nxdomain documentation.
20 May 2016: Ralph
- No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
signed zones.
- iana portlist update.
19 May 2016: Wouter
- Fix #766: dns64 should synthesize results on timeout/errors.
18 May 2016: Wouter
- Fix #761: DNSSEC LAME false positive resolving nic.club.
17 May 2016: Wouter
- trunk updated with output of flex 2.6.0.
6 May 2016: Wouter
- Fix memory leak in out-of-memory conditions of local zone add.
29 April 2016: Wouter
- Fix sldns with static checking fixes copied from getdns.
28 April 2016: Wouter
- Fix #759: 0x20 capsforid no longer checks type PTR, for
compatibility with cisco dns guard. This lowers false positives.
18 April 2016: Wouter
- Fix some malformed responses to edns queries get fallback to nonedns.
15 April 2016: Wouter
- cachedb module event handling design.
14 April 2016: Wouter
- cachedb module framework (empty).
- iana portlist update.
12 April 2016: Wouter
- Fix #753: document dump_requestlist is for first thread.
24 March 2016: Wouter
- Document permit-small-holddown for 5011 debug.
- Fix #749: unbound-checkconf gets SIGSEGV when use against a
malformatted conf file.
23 March 2016: Wouter
- OpenSSL 1.1.0 portability, --disable-dsa configure option.
21 March 2016: Wouter
- Fix compile of getentropy_linux for SLES11 servicepack 4.
- Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
- Fix test for openssl to use HMAC_Update for 1.1.0.
- acx_nlnetlabs.m4 to v33, with HMAC_Update.
- acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
- ERR_remove_state deprecated since openssl 1.0.0.
- OPENSSL_config is deprecated, removing.
18 March 2016: Ralph
- Validate QNAME minimised NXDOMAIN responses.
- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
harden-below-nxdomain.
17 March 2016: Ralph
- Limit number of QNAME minimisation iterations.
17 March 2016: Wouter
- Fix #746: Fix unbound sets CD bit on all forwards.
If no trust anchors, it'll not set CD bit when forwarding to another
server. If a trust anchor, no CD bit on the first attempt to a
forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
- iana portlist update.
16 March 2016: Wouter
- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
- Fix ip-transparent for tcp on freebsd.
15 March 2016: Wouter
- ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
binding to an IP address while the interface or address is down.
14 March 2016: Wouter
- Fix warnings in ifdef corner case, older or unknown libevent.
- Fix compile for ub_event code with older libev.
11 March 2016: Wouter
- Remove warning about unused parameter in event_pluggable.c.
- Fix libev usage of dispatch return value.
- No side effects in tolower() call, in case it is a macro.
- For test put free in pluggable api in parenthesis.
10 March 2016: Wouter
- Fixup backend2str for libev.
09 March 2016: Willem
- User defined pluggable event API for libunbound
- Fixup of compile fix for pluggable event API from P.Y. Adi
Prasaja.
09 March 2016: Wouter
- Updated configure and ltmain.sh.
- Updated L root IPv6 address.
07 March 2016: Wouter
- Fix #747: assert in outnet_serviced_query_stop.
- iana ports fetched via https.
- iana portlist update.
03 March 2016: Wouter
- configure tests for the weak attribute support by the compiler.
02 March 2016: Wouter
- 1.5.8 release tag
- trunk contains 1.5.9 in development.
- iana portlist update.
- Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
contains trailing dot.
24 February 2016: Wouter
- Fix OpenBSD asynclook lock free that gets used later (fix test code).
- Fix that NSEC3 negative cache is used when there is no salt.
23 February 2016: Wouter
- ub_ctx_set_stub() function for libunbound to config stub zones.
- sorted ubsyms.def file with exported libunbound functions.
19 February 2016: Wouter
- Print understandable debug log when unusable DS record is seen.
- load gost algorithm if digest is seen before key algorithm.
- iana portlist update.
17 February 2016: Wouter
- Fix that "make install" fails due to "text file busy" error.
16 February 2016: Wouter
- Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
15 February 2016: Wouter
- ip-transparent option for FreeBSD with IP_BINDANY socket option.
- wait for sendto to drain socket buffers when they are full.
9 February 2016: Wouter
- Test for type OPENPGPKEY.
- insecure-lan-zones: yesno config option, patch from Dag-Erling
Smørgrav.
8 February 2016: Wouter
- Fix patch typo in prevuous commit for 734 from Adi Prasaja.
- RR Type CSYNC support RFC 7477, in debug printout and config input.
- RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
29 January 2016: Wouter
- Neater cmdline_verbose increment patch from Edgar Pettijohn.
27 January 2016: Wouter
- Made netbsd sendmsg test nonfatal, in case of false positives.
- Fix #741: log message for dnstap socket connection is more clear.
26 January 2016: Wouter
- Fix #734: chown the pidfile if it resides inside the chroot.
- Use arc4random instead of random in tests (because it is
available, possibly as compat, anyway).
- Fix cmsg alignment for argument to sendmsg on NetBSD.
- Fix that unbound complains about unimplemented IP_PKTINFO for
sendmsg on NetBSD (for interface-automatic).
25 January 2016: Wouter
- Fix #738: Swig should not be invoked with CPPFLAGS.
19 January 2016: Wouter
- Squelch 'cannot assign requested address' log messages unless
verbosity is high, it was spammed after network down.
14 January 2016: Wouter
- Fix to simplify empty string checking from Michael McConville.
- iana portlist update.
12 January 2016: Wouter
- Fix #734: Do not log an error when the PID file cannot be chown'ed.
Patch from Simon Deziel.
11 January 2016: Wouter
- Fix test if -pthreads unused to use better grep for portability.
06 January 2016: Wouter
- Fix mingw crosscompile for recent mingw.
- Update aclocal, autoconf output with new versions (1.15, 2.4.6).
05 January 2016: Wouter
- #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
from Daisuke Higashi.
- Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
by default, and can be unblocked with "nodefault" localzone config.
04 January 2016: Wouter
- Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
for Linux glibc 2.20.
- Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
source code, so it applies cleanly again. Removed unused variable
warnings.
15 December 2015: Ralph
- Fix #729: omit use of escape sequences in echo since they are not
portable (unbound-control-setup).
11 December 2015: Wouter
- remove NULL-checks before free, patch from Michael McConville.
- updated ax_pthread.m4 to version 21 with clang support, this
removes a warning from compilation.
- OSX portability, detect if sbrk is deprecated.
- OSX clang, stop -pthread unused during link stage warnings.
- OSX clang new flto check.
10 December 2015: Wouter
- 1.5.7 release
- trunk has 1.5.8 in development.
8 December 2015: Wouter
- Fixup 724 for unbound-control.
7 December 2015: Ralph
- Do not minimise forwarded requests.
4 December 2015: Wouter
- Removed unneeded whitespace from example.conf.
3 December 2015: Ralph
- (after rc1 tag)
- Committed fix to qname minimisation and unit test case for it.
3 December 2015: Wouter
- iana portlist update.
- 1.5.7rc1 prerelease tag.
2 December 2015: Wouter
- Fixup 724: Fix PCA prompt for unbound-service-install.exe.
re-enable stdout printout.
- For 724: Add Changelog to windows binary dist.
1 December 2015: Ralph
- Qname minimisation review fixes
1 December 2015: Wouter
- Fixup 724 fix for fname_after_chroot() calls.
- Remove stdout printout for unbound-service-install.exe
- .gitignore for git users.
30 November 2015: Ralph
- Implemented qname minimisation
30 November 2015: Wouter
- Fix for #724: conf syntax to read files from run dir (on Windows).
25 November 2015: Wouter
- Fix for #720, fix unbound-control-setup windows batch file.
24 November 2015: Wouter
- Fix #720: add windows scripts to zip bundle.
- iana portlist update.
20 November 2015: Wouter
- Added assert on rrset cache correctness.
- Fix that malformed EDNS query gets a response without malformed EDNS.
18 November 2015: Wouter
- newer acx_nlnetlabs.m4.
- spelling fixes from Igor Sobrado Delgado.
17 November 2015: Wouter
- Fix #594. libunbound: optionally use libnettle for crypto.
Contributed by Luca Bruno. Added --with-nettle for use with
--with-libunbound-only.
- refactor nsec3 hash implementation to be more library-portable.
- iana portlist update.
- Fixup DER encoded DSA signatures for libnettle.
16 November 2015: Wouter
- Fix for lenient accept of reverse order DNAME and CNAME.
6 November 2015: Wouter
- Change example.conf: ftp.internic.net to https://www.internic.net
5 November 2015: Wouter
- ACX_SSL_CHECKS no longer adds -ldl needlessly.
3 November 2015: Wouter
- Fix #718: Fix unbound-control-setup with support for env
without HEREDOC bash support.
29 October 2015: Wouter
- patch from Doug Hogan for SSL_OP_NO_SSLvx options.
- Fix #716: nodata proof with empty non-terminals and wildcards.
28 October 2015: Wouter
- Fix checklock testcode for linux threads on exit.
27 October 2015: Wouter
- isblank() compat implementation.
- detect libexpat without xml_StopParser function.
- portability fixes.
- portability, replace snprintf if return value broken.
23 October 2015: Wouter
- Fix #714: Document config to block private-address for IPv4
mapped IPv6 addresses.
22 October 2015: Wouter
- Fix #712: unbound-anchor appears to not fsync root.key.
20 October 2015: Wouter
- 1.5.6 release.
- trunk tracks development of 1.5.7.
15 October 2015: Wouter
- Fix segfault in the dns64 module in the formaterror error path.
- Fix sldns_wire2str_rdata_scan for malformed RRs.
- tag for 1.5.6rc1 release.
14 October 2015: Wouter
- ANY responses include DNAME records if present, as per Evan Hunt's
remark in dnsop.
- Fix manpage to suggest using SIGTERM to terminate the server.
9 October 2015: Wouter
- Default for ssl-port is port 853, the temporary port assignment
for secure domain name system traffic.
If you used to rely on the older default of port 443, you have
to put a clause in unbound.conf for that. The new value is likely
going to be the standardised port number for this traffic.
- iana portlist update.
6 October 2015: Wouter
- 1.5.5 release.
- trunk tracks the development of 1.5.6.
28 September 2015: Wouter
- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
failures.
- tag for 1.5.5rc1 release.
- makedist.sh: pgp sig echo commands.
25 September 2015: Wouter
- Fix unbound-control flush that does not succeed in removing data.
22 September 2015: Wouter
- Fix config globbed include chroot treatment, this fixes reload of
globs (patch from Dag-Erling Smørgrav).
- iana portlist update.
- Fix #702: New IPs for for h.root-servers.net.
- Remove confusion comment from canonical_compare() function.
- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
- testbound selftest also works in non-debug mode.
- Fix minor error in unbound.conf.5.in
- Fix unbound.conf(5) access-control description for precedence
and default.
31 August 2015: Wouter
- changed windows setup compression to be more transparent.
28 August 2015: Wouter
- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
2.4 to 2.6.
- Feature #699: --enable-pie option to that builds PIE binary.
- Feature #700: --enable-relro-now option that enables full read-only
relocation.
24 August 2015: Wouter
- Fix deadlock for local data add and zone add when unbound-control
list_local_data printout is interrupted.
- iana portlist update.
- Change default of harden-algo-downgrade to off. This is lenient
for algorithm rollover.
13 August 2015: Wouter
- 5011 implementation does not insist on all algorithms, when
harden-algo-downgrade is turned off.
- Reap the child process that libunbound spawns.
11 August 2015: Wouter
- Fix #694: configure script does not detect LibreSSL 2.2.2
4 August 2015: Wouter
- Document that local-zone nodefault matches exactly and transparent
can be used to release a subzone.
3 August 2015: Wouter
- Document in the manual more text about configuring locally served
zones.
- Fix 5011 anchor update timer after reload.
- Fix mktime in unbound-anchor not using UTC.
30 July 2015: Wouter
- please afl-gcc (llvm) for uninitialised variable warning.
- Added permit-small-holddown config to debug fast 5011 rollover.
24 July 2015: Wouter
- Fix #690: Reload fails when so-reuseport is yes after changing
num-threads.
- iana portlist update.
21 July 2015: Wouter
- Fix configure to detect SSL_CTX_set_ecdh_auto.
- iana portlist update.
20 July 2015: Wouter
- Enable ECDHE for servers. Where available, use
SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
enable ECDHE. Otherwise, manually offer curve p256.
Client connections should automatically use ECDHE when available.
(thanks Daniel Kahn Gillmor)
18 July 2015: Willem
- Allow certificate chain files to allow for intermediate certificates.
(thanks Daniel Kahn Gillmor)
13 July 2015: Wouter
- makedist produces sha1 and sha256 files for created binaries too.
9 July 2015: Wouter
- 1.5.4 release tag
- trunk has 1.5.5 in development.
- Fix #681: Setting forwarders with unbound-control forward
implicitly turns on forward-first.
29 June 2015: Wouter
- iana portlist update.
- Fix alloc with log for allocation size checks.
26 June 2015: Wouter
- Fix #677 Fix DNAME responses from cache that failed internal chain
test.
- iana portlist update.
22 June 2015: Wouter
- Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
and was therefore always synthesized (thanks to Valentin Dietrich).
4 June 2015: Wouter
- RFC 7553 RR type URI support, is now enabled by default.
2 June 2015: Wouter
- Fix #674: Do not free pointers given by getenv.
29 May 2015: Wouter
- Fix that unparseable error responses are ratelimited.
- SOA negative TTL is capped at minimumttl in its rdata section.
- cache-max-negative-ttl config option, default 3600.
26 May 2015: Wouter
- Document that ratelimit works with unbound-control set_option.
21 May 2015: Wouter
- iana portlist update.
- documentation proposes ratelimit of 1000 (closer to what upstream
servers expect from us).
20 May 2015: Wouter
- DLV is going to be decommissioned. Advice to stop using it, and
put text in the example configuration and man page to that effect.
10 May 2015: Wouter
- Change syntax of particular validator error to be easier for
machine parse, swap rrset and ip adres info so it looks like:
validation failure <www.example.nl. TXT IN>: signature crypto
failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>
1 May 2015: Wouter
- caps-whitelist in unbound.conf allows whitelist of loadbalancers
that cannot work with caps-for-id or its fallback.
30 April 2015: Wouter
- Unit test for type ANY synthesis.
22 April 2015: Wouter
- Removed contrib/unbound_unixsock.diff, because it has been
integrated, use control-interface: /path in unbound.conf.
- iana portlist update.
17 April 2015: Wouter
- Synthesize ANY responses from cache. Does not search exhaustively,
but MX,A,AAAA,SOA,NS also CNAME.
- Fix leaked dns64prefix configuration string.
16 April 2015: Wouter
- Add local-zone type inform_deny, that logs query and drops answer.
- Ratelimit does not apply to prefetched queries, and ratelimit-factor
is default 10. Repeated normal queries get resolved and with
prefetch stay in the cache.
- Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
Use print_function also for Python2.
libunbound examples: produce sorted output.
libunbound-Python: libldns is not used anymore.
Fix issue with Python 3 mapping of FILE* using file_py3.i from ldns.
10 April 2015: Wouter
- unbound-control ratelimit_list lists high rate domains.
- ratelimit feature, ratelimit: 100, or some sensible qps, can be
used to turn it on. It ratelimits recursion effort per zone.
For particular names you can configure exceptions in unbound.conf.
- Fix that get_option for cache-sizes does not print double newline.
- Fix#663: ssl handshake fails when using unix socket because dh size
is too small.
8 April 2015: Wouter
- Fix crash in dnstap: Do not try to log TCP responses after timeout.
7 April 2015: Wouter
- Libunbound skips dos-line-endings from etc/hosts.
- Unbound exits with a fatal error when the auto-trust-anchor-file
fails to be writable. This is seconds after startup. You can
load a readonly auto-trust-anchor-file with trust-anchor-file.
The file has to be writable to notice the trust anchor change,
without it, a trust anchor change will be unnoticed and the system
will then become inoperable.
- unbound-control list_insecure command shows the negative trust
anchors currently configured, patch from Jelte Jansen.
2 April 2015: Wouter
- Fix #660: Fix interface-automatic broken in the presence of
asymmetric routing.
26 March 2015: Wouter
- remote.c probedelay line is easier to read.
- rename ldns subdirectory to sldns to avoid name collision.
25 March 2015: Wouter
- Fix #657: libunbound(3) recommends deprecated
CRYPTO_set_id_callback.
- If unknown trust anchor algorithm, and libressl is used, error
message encourages upgrade of the libressl package.
23 March 2015: Wouter
- Fix segfault on user not found at startup (from Maciej Soltysiak).
20 March 2015: Wouter
- Fixed to add integer overflow checks on allocation (defense in depth).
19 March 2015: Wouter
- Add ip-transparent config option for bind to non-local addresses.
17 March 2015: Wouter
- Use reallocarray for integer overflow protection, patch submitted
by Loganaden Velvindron.
16 March 2015: Wouter
- Fixup compile on cygwin, more portable openssl thread id.
12 March 2015: Wouter
- Updated default keylength in unbound-control-setup to 3k.
10 March 2015: Wouter
- Fix lintian warning in unbound-checkconf man page (from Andreas
Schulze).
- print svnroot when building windows dist.
- iana portlist update.
- Fix warning on sign compare in getentropy_linux.
9 March 2015: Wouter
- Fix #644: harden-algo-downgrade option, if turned off, fixes the
reported excessive validation failure when multiple algorithms
are present. It allows the weakest algorithm to validate the zone.
- iana portlist update.
5 March 2015: Wouter
- contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
scripts. Contributed by Yuri Voinov.
- Document that incoming-num-tcp increase is good for large servers.
- stats reports tcp usage, of incoming-num-tcp buffers.
4 March 2015: Wouter
- Patch from Brad Smith that syncs compat/getentropy_linux with
OpenBSD's version (2015-03-04).
- 0x20 fallback improved: servfail responses do not count as missing
comparisons (except if all responses are errors),
inability to find nameservers does not fail equality comparisons,
many nameservers does not try to compare more than max-sent-count,
parse failures start 0x20 fallback procedure.
- store caps_response with best response in case downgrade response
happens to be the last one.
- Document windows 8 tests.
3 March 2015: Wouter
- tag 1.5.3rc1
[ This became 1.5.3 on 10 March, trunk is 1.5.4 in development ]
2 March 2015: Wouter
- iana portlist update.
20 February 2015: Wouter
- Use the getrandom syscall introduced in Linux 3.17 (from Heiner
Kallweit).
- Fix #645 Portability to Solaris 10, use AF_LOCAL.
- Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
- Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
reload.
19 February 2015: Wouter
- 1.5.2 release tag.
- svn trunk contains 1.5.3 under development.
13 February 2015: Wouter
- Fix #643: doc/example.conf.in: unnecessary whitespace.
12 February 2015: Wouter
- tag 1.5.2rc1
11 February 2015: Wouter
- iana portlist update.
10 February 2015: Wouter
- Fix scrubber with harden-glue turned off to reject NS (and other
not-address) records.
9 February 2015: Wouter
- Fix validation failure in case upstream forwarder (ISC BIND) does
not have the same trust anchors and decides to insert unsigned NS
record in authority section.
2 February 2015: Wouter
- infra-cache-min-rtt patch from Florian Riehm, for expected long
uplink roundtrip times.
30 January 2015: Wouter
- Fix 0x20 capsforid fallback to omit gratuitous NS and additional
section changes.
- Portability fix for Solaris ('sun' is not usable for a variable).
29 January 2015: Wouter
- Fix pyunbound byte string representation for python3.
26 January 2015: Wouter
- Fix unintended use of gcc extension for incomplete enum types,
compile with pedantic c99 compliance (from Daniel Dickman).
23 January 2015: Wouter
- windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
16 January 2015: Wouter
- unit test for local unix connection. Documentation and log_addr
does not inspect port for AF_LOCAL.
- unbound-checkconf -f prints chroot with pidfile path.
13 January 2015: Wouter
- iana portlist update.
12 January 2015: Wouter
- Cast sun_len sizeof to socklen_t.
- Fix pyunbound ord call, portable for python 2 and 3.
7 January 2015: Wouter
- Fix warnings in pythonmod changes.
6 January 2015: Wouter
- iana portlist update.
- patch for remote control over local sockets, from Dag-Erling
Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
control-use-cert: no.
- Fixup that patch and uid lookup (only for daemon).
- coded the default of control-use-cert, to yes.
5 January 2015: Wouter
- getauxval test for ppc64 linux compatibility.
- make strip works for unbound-host and unbound-anchor.
- patch from Stephane Lapie that adds to the python API, that
exposes struct delegpt, and adds the find_delegation function.
- print query name when max target count is exceeded.
- patch from Stuart Henderson that fixes DESTDIR in
unbound-control-setup for installs where config is not in
the prefix location.
- Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
IP_MTU_DISCOVER OMIT option (fix from Remi Gacogne).
- Updated contrib warmup.cmd/sh to support two modes - load
from pre-defined list of domains or (with filename as argument)
load from user-specified list of domains, and updated contrib
unbound_cache.sh/cmd to support loading/save/reload cache to/from
default path or (with secondary argument) arbitrary path/filename,
from Yuri Voinov.
- Patch from Philip Paeps to contrib/unbound_munin_ that uses
type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
unbound_munin_hits.graph_period minute
9 December 2014: Wouter
- svn trunk has 1.5.2 in development.
- config.guess and config.sub update from libtoolize.
- local-zone: example.com inform makes unbound log a message with
client IP for queries in that zone. Eg. for finding infected hosts.
8 December 2014: Wouter
- Fix CVE-2014-8602: denial of service by making resolver chase
endless series of delegations.
1 December 2014: Wouter
- Fix bug#632: unbound fails to build on AArch64, protects
getentropy compat code from calling sysctl if it is has been removed.
29 November 2014: Wouter
- Add include to getentropy_linux.c, hopefully fixing debian build.
28 November 2014: Wouter
- Fix makefile for build from noexec source tree.
26 November 2014: Wouter
- Fix libunbound undefined symbol errors for main.
Referencing main does not seem to be possible for libunbound.
24 November 2014: Wouter
- Fix log at high verbosity and memory allocation failure.
- iana portlist update.
21 November 2014: Wouter
- Fix crash on multiple thread random usage on systems without
arc4random.
20 November 2014: Wouter
- fix compat/getentropy_win.c check if CryptGenRandom works and no
immediate exit on windows.
19 November 2014: Wouter
- Fix cdflag dns64 processing.
18 November 2014: Wouter
- Fix that CD flag disables DNS64 processing, returning the DNSSEC
signed AAAA denial.
- iana portlist update.
17 November 2014: Wouter
- Fix #627: SSL_CTX_load_verify_locations return code not properly
checked.
14 November 2014: Wouter
- parser with bison 2.7
13 November 2014: Wouter
- Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
added to contrib/aaaa-filter-iterator.patch.
12 November 2014: Wouter
- trunk has 1.5.1 in development.
- Patch from Robert Edmonds to build pyunbound python module
differently. No versioninfo, with -shared and without $(LIBS).
- Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
- Removed 'increased limit open files' log message that is written
to console. It is only written on verbosity 4 and higher.
This keeps system bootup console cleaner.
- Patch from James Raftery, always print stats for rcodes 0..5.
11 November 2014: Wouter
- iana portlist update.
- Fix bug where forward or stub addresses with same address but
different port number were not tried.
- version number in svn trunk is 1.5.0
- tag 1.5.0rc1
- review fix from Ralph.
7 November 2014: Wouter
- dnstap fixes by Robert Edmonds:
dnstap/dnstap.m4: cosmetic fixes
dnstap/: Remove compiled protoc-c output files
dnstap/dnstap.m4: Error out if required libraries are not found
dnstap: Fix ProtobufCBufferSimple usage that is incorrect as of
protobuf-c 1.0.0
dnstap/: Adapt to API changes in latest libfstrm (>= 0.2.0)
4 November 2014: Wouter
- Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
tracked trust anchor to libunbound.
- Redefine internal minievent symbols to unique symbols that helps
linking on platforms where the linker leaks names across modules.
27 October 2014: Wouter
- Disabled use of SSLv3 in remote-control and ssl-upstream.
- iana portlist update.
16 October 2014: Wouter
- Documented dns64 configuration in unbound.conf man page.
13 October 2014: Wouter
- Fix #617: in ldns in unbound, lowercase WKS services.
- Fix ctype invocation casts.
10 October 2014: Wouter
- Fix unbound-checkconf check for module config with dns64 module.
- Fix unbound capsforid fallback, it ignores TTLs in comparison.
6 October 2014: Wouter
- Fix #614: man page variable substitution bug.
6 October 2014: Willem
- Whitespaces after $ORIGIN are not part of the origin dname (ldns).
- $TTL's value starts at position 5 (ldns).
1 October 2014: Wouter
- fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
29 September 2014: Wouter
- Fix #612: create service with service.conf in present directory and
auto load it.
- Fix for mingw compile openssl ranlib.
25 September 2014: Wouter
- updated configure and aclocal with newer autoconf 1.13.
22 September 2014: Wouter
- Fix swig and python examples for Python 3.x.
- Fix for mingw compile with openssl-1.0.1i.
19 September 2014: Wouter
- improve python configuration detection to build on Fedora 22.
18 September 2014: Wouter
- patches to also build with Python 3.x (from Pavel Simerda).
16 September 2014: Wouter
- Fix tcp timer waiting list removal code.
- iana portlist update.
- Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
is longer and more tcp connections can be handled.
15 September 2014: Wouter
- Fix unit test for CDS typecode.
5 September 2014: Wouter
- type CDS and CDNSKEY types in sldns.
25 August 2014: Wouter
- Fixup checklock code for log lock and its mutual initialization
dependency.
- iana portlist update.
- Removed necessity for pkg-config from the dnstap.m4, new are
the --with-libfstrm and --with-protobuf-c configure options.
19 August 2014: Wouter
- Update unbound manpage with more explanation (from Florian Obser).
18 August 2014: Wouter
- Fix #603: unbound-checkconf -o <option> should skip verification
checks.
- iana portlist update.
- Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
5 August 2014: Wouter
- dnstap support, with a patch from Farsight Security, written by
Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
It is BSD licensed (see dnstap/dnstap.c).
Building with --enable-dnstap needs pkg-config with this patch.
- Noted dnstap in doc/README and doc/CREDITS.
- Changes to the dnstap patch.
- lint fixes.
- dnstap/dnstap_config.h should not have been added to the repo,
because is it generated.
1 August 2014: Wouter
- Patch add msg, rrset, infra and key cache sizes to stats command
from Maciej Soltysiak.
- iana portlist update.
31 July 2014: Wouter
- DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
Initial commit of the patch from the FreeBSD base (with its fixes).
This adds a module (for module-config in unbound.conf) dns64 that
performs DNS64 processing, see README.DNS64.
- Changes from DNS64:
strcpy changed to memmove.
arraybound check fixed from prefix_net/8/4 to prefix_net/8+4.
allocation of result consistently in the correct region.
time_t is now used for ttl in unbound (since the patch's version).
- testdata/dns64_lookup.rpl for unit test for dns64 functionality.
29 July 2014: Wouter
- Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
does not fork in the background and also logs to stderr.
21 July 2014: Wouter
- Fix endian.h include for OpenBSD.
16 July 2014: Wouter
- And Fix#596: Bail out of unbound-control dump_infra when ssl
write fails.
15 July 2014: Wouter
- Fix #596: Bail out of unbound-control list_local_zones when ssl
write fails.
- iana portlist update.
13 July 2014: Wouter
- Configure tests if main can be linked to from getentropy compat.
12 July 2014: Wouter
- Fix getentropy compat code, function refs were not portable.
- Fix to check openssl version number only for OpenSSL.
- LibreSSL provides compat items, check for that in configure.
- Fix bug in fix for log locks that caused deadlock in signal handler.
- update compat/getentropy and arc4random to the most recent ones from OpenBSD.
11 July 2014: Matthijs
- fake-rfc2553 patch (thanks Benjamin Baier).
11 July 2014: Wouter
- arc4random in compat/ and getentropy, explicit_bzero, chacha for
dependencies, from OpenBSD. arc4_lock and sha512 in compat.
This makes arc4random available on all platforms, except when
compiled with LIBNSS (it uses libNSS crypto random).
- fix strptime implicit declaration error on OpenBSD.
- arc4random, getentropy and explicit_bzero compat for Windows.
4 July 2014: Wouter
- Fix #593: segfault or crash upon rotating logfile.
3 July 2014: Wouter
- DLV tests added.
- signit tool fixup for compile with libldns library.
- iana portlist updated.
27 June 2014: Wouter
- so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
26 June 2014: Wouter
- unbound-control status reports if so-reuseport was successful.
- iana portlist updated.
24 June 2014: Wouter
- Fix caps-for-id fallback, and added fallback attempt when servers
drop 0x20 perturbed queries.
- Fixup testsetup for VM tests (run testcode/run_vm.sh).
17 June 2014: Wouter
- iana portlist updated.
3 June 2014: Wouter
- Add AAAA for B root server to default root hints.
2 June 2014: Wouter
- Remove unused define from iterator.h
30 May 2014: Wouter
- Fixup sldns_enum_edns_option typedef definition.
28 May 2014: Wouter
- Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
fixes from FreeBSD's copy of Unbound, he notes:
Generate unbound-control-setup.sh at build time so it respects
prefix and sysconfdir from the configure script. Also fix the
umask to match the comment, and the comment to match the umask.
Add const and static where needed. Use unions instead of
playing pointer poker. Move declarations that are needed in
multiple source files into a shared header. Move sldns_bgetc()
from parse.c to buffer.c where it belongs. Introduce a new
header file, worker.h, which declares the callbacks that
all workers must define. Remove those declarations from
libworker.h. Include the correct headers in the correct places.
Fix a few dummy callbacks that don't match their prototype.
Fix some casts. Hide the sbrk madness behind #ifdef HAVE_SBRK.
Remove a useless printf which breaks reproducible builds.
Get rid of CONFIGURE_{TARGET,DATE,BUILD_WITH} now that they're
no longer used. Add unbound-control-setup.sh to the list of
generated files. The prototype for libworker_event_done_cb()
needs to be moved from libunbound/libworker.h to
libunbound/worker.h.
- Fixup out-of-directory compile with unbound-control-setup.sh.in.
- make depend.
23 May 2014: Wouter
- unbound-host -D enabled dnssec and reads root trust anchor from
the default root key file that was compiled in.
20 May 2014: Wouter
- Feature, unblock-lan-zones: yesno that you can use to make unbound
perform 10.0.0.0/8 and other reverse lookups normally, for use if
unbound is running service for localhost on localhost.
16 May 2014: Wouter
- Updated create_unbound_ad_servers and unbound_cache scripts from
Yuri Voinov in the source/contrib directory. Added
warmup.cmd (and .sh): warm up the DNS cache with your MRU domains.
9 May 2014: Wouter
- Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
- iana portlist updated.
8 May 2014: Wouter
- Contrib windows scripts from Yuri Voinov added to src/contrib:
create_unbound_ad_servers.cmd: enters anti-ad server lists.
unbound_cache.cmd: saves and loads the cache.
- Added unbound-control-setup.cmd from Yuri Voinov to the windows
unbound distribution set. It requires openssl installed in %PATH%.
6 May 2014: Wouter
- Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
5 May 2014: Wouter
- More #567: remove : from output of stub and forward lists, this is
easier to parse.
29 April 2014: Wouter
- iana portlist updated.
- Add unbound-control flush_negative that flushed nxdomains, nodata,
and errors from the cache. For dnssec-trigger and NetworkManager,
fixes cases where network changes have localdata that was already
negatively cached from the previous network.
23 April 2014: Wouter
- Patch from Jeremie Courreges-Anglas to use arc4random_uniform
if available on the OS, it gets entropy from the OS.
15 April 2014: Wouter
- Fix compile with libevent2 on FreeBSD.
11 April 2014: Wouter
- Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
but it stops the use of the ipv6 transport layer for DNS traffic.
- iana portlist updated.
10 April 2014: Wouter
- iana portlist updated.
- Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
option for DNS fragmentation defense.
- Document that dump_requestlist only prints queries from thread 0.
- unbound-control stats prints num.query.tcpout with number of TCP
outgoing queries made in the previous statistics interval.
- Fix #567: unbound lists if forward zone is secure or insecure with
+i annotation in output of list_forwards, also for list_stubs
(for NetworkManager integration.)
- Fix #554: use unsigned long to print 64bit statistics counters on
64bit systems.
- Fix #558: failed prefetch lookup does not remove cached response
but delays next prefetch (in lieu of caching a SERVFAIL).
- Fix #545: improved logging, the ip address of the error is printed
on the same log-line as the error.
8 April 2014: Wouter
- Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control
in testbound scripts.
- iana portlist updated.
7 April 2014: Wouter
- C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
hints (patch from Anand Buddhdev).
- Fix #572: Fix unit test failure for systems with different
/etc/services.
28 March 2014: Wouter
- Fix #569: do_tcp is do-tcp in unbound.conf man page.
25 March 2014: Wouter
- Patch from Stuart Henderson to build unbound-host man from .1.in.
24 March 2014: Wouter
- Fix print filename of encompassing config file on read failure.
12 March 2014: Wouter
- tag 1.4.22
- trunk has 1.4.23 in development.
10 March 2014: Wouter
- Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
because of spelling. Patch from Chris Coates.
27 February 2014: Wouter
- tag 1.4.22rc1
21 February 2014: Wouter
- iana portlist updated.
20 February 2014: Matthijs
- Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
received. This is okay according 4035, but not after revising
existence in 4592. NSEC empty non-terminals exist and thus the
RCODE should have been NOERROR. If this occurs, and the RRsets
are secure, we set the RCODE to NOERROR and the security status
of the response is also considered secure.
14 February 2014: Wouter
- Works on Minix (3.2.1).
11 February 2014: Wouter
- Fix parse of #553(NSD) string in sldns, quotes without spaces.
7 February 2014: Wouter
- iana portlist updated.
- add body to ifstatement if locks disabled.
- add TXT string"string" test case to unit test.
- Fix #551: License change "Regents" to "Copyright holder", matching
the BSD license on opensource.org.
6 February 2014: Wouter
- sldns has type HIP.
- code documentation on the module interface.
5 February 2014: Wouter
- Fix sldns parse tests on osx.
3 February 2014: Wouter
- Detect libevent2 install automatically by configure.
- Fixup link with lib/event2 subdir.
- Fix parse in sldns of quoted parenthesized text strings.
31 January 2014: Wouter
- unit test for ldns wire to str and back with zones, root, nlnetlabs
and types.sidnlabs.
- Fix for hex to string in unknown, atma and nsap.
- fixup nss compile (no ldns in it).
- fixup warning in unitldns
- fixup WKS and rdata type service to print unsigned because strings
are not portable; they cannot be read (for sure) on other computers.
- fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
parse sldns.
30 January 2014: Wouter
- delay-close does not act if there are udp-wait queries, so that
it does not make a socketdrain DoS easier.
28 January 2014: Wouter
- iana portlist updated.
- iana portlist test updated so it does not touch the source
if there are no changes.
- delay-close: msec option that delays closing ports for which
the UDP reply has timed out. Keeps the port open, only accepts
the correct reply. This correct reply is not used, but the port
is open so that no port-denied ICMPs are generated.
27 January 2014: Wouter
- reuseport is attempted, then fallback to without on failure.
24 January 2014: Wouter
- Change unbound-event.h to use void* buffer, length idiom.
- iana portlist updated.
- unbound-event.h is installed if you configure --enable-event-api.
- speed up unbound (reports say it could be up to 10%), by reducing
lock contention on localzones.lock. It is changed to an rwlock.
- so-reuseport: yesno option to distribute queries evenly over
threads on Linux (Thanks Robert Edmonds).
- made lint clean.
21 January 2014: Wouter
- Fix #547: no trustanchor written if filesystem full, fclose checked.
17 January 2014: Wouter
- Fix isprint() portability in sldns, uses unsigned int.
- iana portlist updated.
16 January 2014: Wouter
- fix #544: Fixed +i causes segfault when running with module conf
"iterator".
- Windows port, adjust %lld to %I64d, and warning in win_event.c.
14 January 2014: Wouter
- iana portlist updated.
5 Dec 2013: Wouter
- Fix bug in cachedump that uses sldns.
- update pythonmod for ldns_ to sldns_ name change.
3 Dec 2013: Wouter
- Fix sldns to use sldns_ prefix for all ldns_ variables.
- Fix windows compile to compile with sldns.
30 Nov 2013: Wouter
- Fix sldns to make globals use sldns_ prefix. This fixes
linking with libldns that uses global variables ldns_ .
13 Nov 2013: Wouter
- Fix bug#537: compile python plugin without ldns library.
12 Nov 2013: Wouter
- Fix bug#536: acl_deny_non_local and refuse_non_local added.
5 Nov 2013: Wouter
- Patch from Neel Goyal to fix async id assignment if callback
is called by libunbound in the mesh attach.
- Accept ip-address: as an alternative for interface: for
consistency with nsd.conf syntax.
4 Nov 2013: Wouter
- Patch from Neel Goyal to fix callback in libunbound.
3 Nov 2013: Wouter
- if configured --with-libunbound-only fix make install.
31 Oct 2013: Wouter
- Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
more specific interface port 53 can be used at the same time, and
one of the daemons is unbound.
- iana portlist update.
- separate ldns into core ldns inside ldns/ subdirectory. No more
--with-ldns is needed and unbound does not rely on libldns.
- portability fixes for new USE_SLDNS ldns subdir codebase.
22 Oct 2013: Wouter
- Patch from Neel Goyal: Add an API call to set an event base on an
existing ub_ctx. This basically just destroys the current worker and
sets the event base to the current. And fix a deadlock in
ub_resolve_event – the cfglock is held when libworker_create is
called. This ends up trying to acquire the lock again in
context_obtain_alloc in the call chain.
- Fix #528: if very high logging (4 or more) segfault on allow_snoop.
26 Sep 2013: Wouter
- unbound-event.h is installed if configured --with-libevent. It
contains low-level library calls, that use libevent's event_base
and an ldns_buffer for the wire return packet to perform async
resolution in the client's eventloop.
19 Sep 2013: Wouter
- 1.4.21 tag created.
- trunk has 1.4.22 number inside it.
- iana portlist updated.
- acx_nlnetlabs.m4 to 26; improve FLTO help text.
16 Sep 2013: Wouter
- Fix#524: max-udp-size not effective to non-EDNS0 queries, from
Daisuke HIGASHI.
10 Sep 2013: Wouter
- MIN_TTL and MAX_TTL also in time_t.
- tag 1.4.21rc1 made again.
26 Aug 2013: Wouter
- More fixes for bug#519: for the threaded case test if the bg
thread has been killed, on ub_ctx_delete, to avoid hangs.
22 Aug 2013: Wouter
- more fixes that I overlooked.
- review fixes from Willem.
21 Aug 2013: Wouter
- Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
20 Aug 2013: Wouter
- Fix for 2038, with time_t instead of uint32_t.
19 Aug 2013: Wouter
- Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
14 Aug 2013: Wouter
- Fix uninit variable in fix#516.
8 Aug 2013: Wouter
- Fix#516 dnssec lameness detection for answers that are improper.
30 Jun 2013: Wouter
- tag 1.4.21rc1
29 Jun 2013: Wouter
- Fix#512 memleak in testcode for testbound (if it fails).
- Fix#512 NSS returned arrays out of setup function to be statics.
26 Jun 2013: Wouter
- max include of 100.000 files (depth and globbed at one time).
This is to preserve system memory in bug cases, or endless cases.
- iana portlist updated.
19 Jun 2013: Wouter
- streamtcp man page, contributed by Tomas Hozza.
- iana portlist updated.
- libunbound documentation on how to avoid openssl race conditions.
25 Jun 2013: Wouter
- Squelch sendto-permission denied errors when the network is
not connected, to avoid spamming syslog.
- configure --disable-flto option (from Robert Edmonds).
18 Jun 2013: Wouter
- Fix for const string literals in C++ for libunbound, from Karel
Slany.
- iana portlist updated.
17 Jun 2013: Wouter
- Fixup manpage syntax.
14 Jun 2013: Wouter
- get_option and set_option support for log-time-ascii, python-script
val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect
immediately. The others are mostly useful for libunbound users.
13 Jun 2013: Wouter
- get_option, set_option, unbound-checkconf -o and libunbound
getoption and setoption support cache-min-ttl and cache-max-ttl.
10 Jun 2013: Wouter
- Fix#501: forward-first does not recurse, when forward name is ".".
- iana portlist update.
- Max include depth is unlimited.
27 May 2013: Wouter
- Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
patch to it to not fail when -Werror is also specified, from the
autoconf-archives.
- iana portlist update.
21 May 2013: Wouter
- Explain bogus and secure flags in libunbound more.
16 May 2013: Wouter
- Fix#499 use-after-free in out-of-memory handling code (thanks Jake
Montgomery).
- Fix#500 use on non-initialised values on socket bind failures.
15 May 2013: Wouter
- Fix round-robin doesn't work with some Windows clients (from Ilya
Bakulin).
3 May 2013: Wouter
- update acx_nlnetlabs.m4 to v23, sleep w32 fix.
26 April 2013: Wouter
- add unbound-control insecure_add and insecure_remove for the
administration of negative trust anchors.
25 April 2013: Wouter
- Implement max-udp-size config option, default 4096 (thanks
Daisuke Higashi).
- Robust checks on dname validity from rdata for dname compare.
- updated iana portlist.
19 April 2013: Wouter
- Fixup snprintf return value usage, fixed libunbound_get_option.
18 April 2013: Wouter
- fix bug #491: pick program name (0th argument) as syslog identity.
- own implementation of compat/snprintf.c.
15 April 2013: Wouter
- Fix so that for a configuration line of include: "*.conf" it is not
an error if there are no files matching the glob pattern.
- unbound-anchor review: BIO_write can return 0 successfully if it
has successfully appended a zero length string.
11 April 2013: Wouter
- Fix queries leaking up for stubs and forwards, if the configured
nameservers all fail to answer.
10 April 2013: Wouter
- code improve for minimal responses, small speed increase.
9 April 2013: Wouter
- updated iana portlist.
- Fix crash in previous private address fixup of 22 March.
28 March 2013: Wouter
- Make reverse zones easier by documenting the nodefault statements
commented-out in the example config file.
26 March 2013: Wouter
- more fixes to lookup3.c endianness detection.
25 March 2013: Wouter
- #492: Fix endianness detection, revert to older lookup3.c detection
and put new detect lines after previous tests, to avoid regressions
but allow new detections to succeed.
And add detection for machine/endian.h to it.
22 March 2013: Wouter
- Fix resolve of names that use a mix of public and private addresses.
- iana portlist update.
- Fix makedist for new svn for -d option.
- unbound.h header file has UNBOUND_VERSION_MAJOR define.
- Fix windows RSRC version for long version numbers.
21 March 2013: Wouter
- release 1.4.20
- trunk has 1.4.21
- committed libunbound version 4:1:2 for binary API updated in 1.4.20
- install copy of unbound-control.8 man page for unbound-control-setup
14 March 2013: Wouter
- iana portlist update.
- tag 1.4.20rc1
12 March 2013: Wouter
- Fixup makedist.sh for windows compile.
11 March 2013: Wouter
- iana portlist update.
- testcode/ldns-testpkts.c check for makedist is informational.
15 February 2013: Wouter
- fix defines in lookup3 for bigendian bsd alpha
11 February 2013: Wouter
- Fixup openssl_thread init code to only run if compiled with SSL.
7 February 2013: Wouter
- detect endianness in lookup3 on BSD.
- add libunbound.ttl at end of result structure, version bump for
libunbound and binary backwards compatible, but 1.4.19 is not
forward compatible with 1.4.20.
- update iana port list.
30 January 2013: Wouter
- includes and have_ssl fixes for nss.
29 January 2013: Wouter
- printout name of zone with duplicate fwd and hint errors.
28 January 2013: Wouter
- updated fwd_zero for newer nc. Updated common.sh for newer netstat.
17 January 2013: Wouter
- unbound-anchors checks the emailAddress of the signer of the
root.xml file, default is dnssec@iana.org. It also checks that
the signer has the correct key usage for a digital signature.
- update iana port list.
3 January 2013: Wouter
- Test that unbound-control checks client credentials.
- Test that unbound can handle a CNAME at an intermediate node in
the chain of trust (where it seeks a DS record).
- Check the commonName of the signer of the root.xml file in
unbound-anchor, default is dnssec@iana.org.
2 January 2013: Wouter
- Fix openssl lock free on exit (reported by Robert Fleischman).
- iana portlist updated.
- Tested that unbound implements the RFC5155 Technical Errata id 3441.
Unbound already implements insecure classification of an empty
nonterminal in NSEC3 optout zone.
20 December 2012: Wouter
- Fix unbound-anchor xml parse of entity declarations for safety.
19 December 2012: Wouter
- iana portlist updated.
18 December 2012: Wouter
- iana portlist updated.
14 December 2012: Wouter
- Change of D.ROOT-SERVERS.NET A address in default root hints.
12 December 2012: Wouter
- 1.4.19 release.
- trunk has 1.4.20 under development.
5 December 2012: Wouter
- note support for AAAA RR type RFC.
4 December 2012: Wouter
- 1.4.19rc1 tag.
30 November 2012: Wouter
- bug 481: fix python example0.
- iana portlist updated.
27 November 2012: Wouter
- iana portlist updated.
9 November 2012: Wouter
- Fix unbound-control forward disables configured stubs below it.
7 November 2012: Wouter
- Fixup ldns-testpkts, identical to ldns/examples.
- iana portlist updated.
30 October 2012: Wouter
- Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
29 October 2012: Matthijs
- Fix validation for responses with both CNAME and wildcard
expanded CNAME records in answer section.
8 October 2012: Wouter
- update ldns-testpkts.c to ldns 1.6.14 version.
- fix build of pythonmod in objdir, for unbound.py.
- make clean and makerealclean remove generated python and docs.
5 October 2012: Wouter
- fix build of pythonmod in objdir (thanks Jakob Schlyter).
3 October 2012: Wouter
- fix text in unbound-anchor man page.
1 October 2012: Wouter
- ignore trusted-keys globs that have no files (from Paul Wouters).
27 September 2012: Wouter
- include: directive in config file accepts wildcards. Patch from
Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
- unbound-control -q option is quiet, patch from Mariano Absatz.
- iana portlist updated.
- updated contrib/unbound.spec, patch from Valentin Bud.
21 September 2012: Wouter
- chdir to / after chroot call (suggested by Camiel Dobbelaar).
17 September 2012: Wouter
- patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
otherwise it is treated as insecure. The RSAMD5 algorithm is
deprecated (RFC6725). The MD5 hash is considered weak for some
purposes, if you want to sign your zone, then RSASHA256 is an
uncontested hash.
30 August 2012: Wouter
- RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
- iana portlist updated.
29 August 2012: Wouter
- Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
22 August 2012: Wouter
- Fallback to 1472 and 1232, one fragment size without headers.
21 August 2012: Wouter
- Fix timeouts so that when a server has been offline for a while
and is probed to see it works, it becomes fully available for
server selection again.
17 August 2012: Wouter
- Add documentation to libunbound for default nonuse of resolv.conf.
2 August 2012: Wouter
- trunk has 1.4.19 under development (fixes from 1 aug and 31 july
are for 1.4.19).
- iana portlist updated.
1 August 2012: Wouter
- Fix openssl race condition, initializes openssl locks, reported
by Einar Lonn and Patrik Wallstrom.
31 July 2012: Wouter
- Improved forward-first and stub-first documentation.
- Fix that enables modules to register twice for the same
serviced_query, without race conditions or administration issues.
This should not happen with the current codebase, but it is robust.
- Fix forward-first option where it sets the RD flag wrongly.
- added manpage links for libunbound calls (Thanks Paul Wouters).
30 July 2012: Wouter
- tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
27 July 2012: Wouter
- unbound-host works with libNSS
- fix bogus nodata cname chain not reported as bogus by validator,
(Thanks Peter van Dijk).
26 July 2012: Wouter
- iana portlist updated.
- tag 1.4.18rc1.
25 July 2012: Wouter
- review fix for libnss, check hash prefix allocation size.
23 July 2012: Wouter
- fix missing break for GOST DS hash function.
- implemented forward_first for the root.
20 July 2012: Wouter
- Fix bug#452 and another assertion failure in mesh.c, makes
assertions in mesh.c resist duplicates. Fixes DS NS search to
not generate duplicate sub queries.
19 July 2012: Willem
- Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
if CFLAGS is specified at configure time then '-g -O2' is not
appended to CFLAGS, so that the user can override them.
18 July 2012: Willem
- Fix libunbound report of errors when in background mode.
11 July 2012: Willem
- updated iana ports list.
9 July 2012: Willem
- Add flush_bogus option for unbound-control
6 July 2012: Wouter
- Fix validation of qtype DS queries that result in no data for
non-optout NSEC3 zones.
4 July 2012: Wouter
- compile libunbound with libnss on Suse, passes regression tests.
3 July 2012: Wouter
- FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
2 July 2012: Wouter
- updated iana ports list.
29 June 2012: Wouter
- patch for unbound_munin_ script to handle arbitrary thread count by
Sven Ulland.
28 June 2012: Wouter
- detect if openssl has FIPS_mode.
- code review: return value of cache_store can be ignored for better
performance in out of memory conditions.
- fix edns-buffer-size and msg-buffer-size manpage documentation.
- updated iana ports list.
25 June 2012: Wouter
- disable RSAMD5 if in FIPS mode (for openssl and for libnss).
22 June 2012: Wouter
- implement DS records, NSEC3 and ECDSA for compile with libnss.
21 June 2012: Wouter
- fix error handling of alloc failure during rrsig verification.
- nss check for verification failure.
- nss crypto works for RSA and DSA.
20 June 2012: Wouter
- work on --with-nss build option (for now, --with-libunbound-only).
19 June 2012: Wouter
- --with-libunbound-only build option, only builds the library and
not the daemon and other tools.
18 June 2012: Wouter
- code review.
15 June 2012: Wouter
- implement log-time-ascii on windows.
- The key-cache bad key ttl is now 60 seconds.
- updated iana ports list.
- code review.
11 June 2012: Wouter
- bug #452: fix crash on assert in mesh_state_attachment.
30 May 2012: Wouter
- silence warning from swig-generated code (md set but not used in
swig initmodule, due to ifdefs in swig-generated code).
27 May 2012: Wouter
- Fix debian-bugs-658021: Please enable hardened build flags.
25 May 2012: Wouter
- updated iana ports list.
24 May 2012: Wouter
- tag for 1.4.17 release.
- trunk is 1.4.18 in development.
18 May 2012: Wouter
- Review comments, removed duplicate memset to zero in delegpt.
16 May 2012: Wouter
- Updated doc/FEATURES with RFCs that are implemented but not listed.
- Protect if statements in val_anchor for compile without locks.
- tag for 1.4.17rc1.
15 May 2012: Wouter
- fix configure ECDSA support in ldns detection for windows compile.
- fix possible uninitialised variable in windows pipe implementation.
9 May 2012: Wouter
- Fix alignment problem in util/random on sparc64/freebsd.
8 May 2012: Wouter
- Fix for accept spinning reported by OpenBSD.
- iana portlist updated.
2 May 2012: Wouter
- Fix validation of nodata for DS query in NSEC zones, reported by
Ondrej Mikle.
13 April 2012: Wouter
- ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
openssl.
10 April 2012: Wouter
- Applied patch from Daisuke HIGASHI for rrset-roundrobin and
minimal-responses features.
- iana portlist updated.
5 April 2012: Wouter
- fix bug #443: --with-chroot-dir not honoured by configure.
- fix bug #444: setusercontext was called too late (thanks Bjorn
Ketelaars).
27 March 2012: Wouter
- fix bug #442: Fix that Makefile depends on pythonmod headers
even using --without-pythonmodule.
22 March 2012: Wouter
- contrib/validation-reporter follows rotated log file (patch from
Augie Schwer).
21 March 2012: Wouter
- new approach to NS fetches for DS lookup that works with
cornercases, and is more robust and considers forwarders.
19 March 2012: Wouter
- iana portlist updated.
- fix to locate nameservers for DS lookup with NS fetches.
16 March 2012: Wouter
- Patch for access to full DNS packet data in unbound python module
from Ondrej Mikle.
9 March 2012: Wouter
- Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
2 March 2012: Wouter
- flush_infra cleans timeouted servers from the cache too.
- removed warning from --enable-ecdsa.
1 March 2012: Wouter
- forward-first option. Tries without forward if a query fails.
Also stub-first option that is similar.
28 February 2012: Wouter
- Fix from code review, if EINPROGRESS not defined chain if statement
differently.
27 February 2012: Wouter
- Fix bug#434: on windows check registry for config file location
for unbound-control.exe, and unbound-checkconf.exe.
23 February 2012: Wouter
- Fix to squelch 'network unreachable' errors from tcp connect in
logs, high verbosity will show them.
16 February 2012: Wouter
- iter_hints is now thread-owned in module env, and thus threadsafe.
- Fix prefetch and sticky NS, now the prefetch works. It picks
nameservers that 'would be valid in the future', and if this makes
the NS timeout, it updates that NS by asking delegation from the
parent again. If child NS has longer TTL, that TTL does not get
refreshed from the lookup to the child nameserver.
15 February 2012: Wouter
- Fix forward-zone memory, uses malloc and frees original root dp.
- iter hints (stubs) uses malloc inside for more dynamicity.
- unbound-control forward_add, forward_remove, stub_add, stub_remove
can modify stubs and forwards for running unbound (on mobile computer)
they can also add and remove domain-insecure for the zone.
14 February 2012: Wouter
- Fix sticky NS (ghost domain problem) if prefetch is yes.
- iter forwards uses malloc inside for more dynamicity.
13 February 2012: Wouter
- RT#2955. Fix for cygwin compilation.
- iana portlist updated.
10 February 2012: Wouter
- Slightly smaller critical region in one case in infra cache.
- Fix timeouts to keep track of query type, A, AAAA and other, if
another has caused timeout blacklist, different type can still probe.
- unit test fix for nomem_cnametopos.rpl race condition.
9 February 2012: Wouter
- Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
8 February 2012: Wouter
- implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
implementation is experimental at this time and not recommended
for use on the public internet (the protocol numbers have not
been assigned). Needs recent ldns with --enable-ecdsa.
- fix memory leak in errorcase for DSA signatures.
- iana portlist updated.
- workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
3 February 2012: Wouter
- fix for windows, rename() is not posix compliant on windows.
2 February 2012: Wouter
- 1.4.16 release tag.
- svn trunk is 1.4.17 in development.
- iana portlist updated.
1 February 2012: Wouter
- Fix validation failures (like: validation failure xx: no NSEC3
closest encloser from yy for DS zz. while building chain of trust,
because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
for an NSEC3. Now it does not change rdata, and fixes TTL.
30 January 2012: Wouter
- Fix version-number in libtool to be version-info so it produces
libunbound.so.2 like it should.
26 January 2012: Wouter
- Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
- trunk 1.4.16; includes changes memset testcode, #424 openindiana,
and keyfile write fixup.
- applied patch to support outgoing-interface with ub_ctx_set_option.
23 January 2012: Wouter
- Fix memset in test code.
20 January 2012: Wouter
- Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
19 January 2012: Wouter
- Fix to write key files completely to a temporary file, and if that
succeeds, replace the real key file. So failures leave a useful file.
18 January 2012: Wouter
- tag 1.4.15rc1 created
- updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
17 January 2012: Wouter
- Fix bug where canonical_compare of RRSIG did not downcase the
signer-name. This is mostly harmless because RRSIGs do not have
to be sorted in canonical order, usually.
12 January 2012: Wouter
- bug#428: add ub_version() call to libunbound. API version increase,
with (binary) backwards compatibility for the previous version.
10 January 2012: Wouter
- Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
that would be permissible by the RFCs but it is not the TTL in the
cache.
- iana portlist updated.
- uninitialised variable in reprobe for rtt blocked domains fixed.
- lintfix and new flex output.
2 January 2012: Wouter
- Fix to randomize hash function, based on 28c3 congress, reported
by Peter van Dijk.
24 December 2011: Wouter
- Fix for memory leak (about 20 bytes when a tcp or udp send operation
towards authority servers failed, takes about 50.000 such failures to
leak one Mb, such failures are also usually logged), reported by
Robert Fleischmann.
- iana portlist updated.
19 December 2011: Wouter
- Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- robust checks for next-closer NSEC3s.
- tag 1.4.14 created.
- trunk has 1.4.15 in development.
15 December 2011: Wouter
- remove uninit warning from cachedump code.
- Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
13 December 2011: Wouter
- iana portlist updated.
- svn tag 1.4.14rc1
- fix infra cache comparison.
- Fix to constrain signer_name to be a parent of the lookupname.
5 December 2011: Wouter
- Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
- Fix warnings with gcc 4.6 in compat/inet_ntop.c.
- Fix warning unused in compat/strptime.c.
- Fix malloc detection and double definition.
2 December 2011: Wouter
- configure generated with autoconf 2.68.
30 November 2011: Wouter
- Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
SERVFAILs. Also fixed for UDP (but less likely).
28 November 2011: Wouter
- Fix quartile time estimate, it was too low, (thanks Jan Komissar).
- iana ports updated.
11 November 2011: Wouter
- Makefile compat with SunOS make, BSD make and GNU make.
- iana ports updated.
10 November 2011: Wouter
- Makefile changed for BSD make compatibility.
9 November 2011: Wouter
- added unit test for SSL service and SSL-upstream.
8 November 2011: Wouter
- can configure ssl service to one port number, and not on others.
- fixup windows compile with ssl support.
- Fix double free in unbound-host, reported by Steve Grubb.
- iana portlist updated.
1 November 2011: Wouter
- dns over ssl support as a client, ssl-upstream yes turns it on.
It performs an SSL transaction for every DNS query (250 msec).
- documentation for new options: ssl-upstream, ssl-service-key and
ssl-service.pem.
- iana portlist updated.
- fix -flto detection on Lion for llvm-gcc.
31 October 2011: Wouter
- dns over ssl support, ssl-service-pem and ssl-service-key files
can be given and then TCP queries are serviced wrapped in SSL.
27 October 2011: Wouter
- lame-ttl and lame-size options no longer exist, it is integrated
with the host info. They are ignored (with verbose warning) if
encountered to keep the config file backwards compatible.
- fix iana-update for changing gzip compression of results.
- fix export-all-symbols on OSX.
26 October 2011: Wouter
- iana portlist updated.
- Infra cache stores information about ping and lameness per IP, zone.
This fixes bug #416.
- fix iana_update target for gzipped file on iana site.
24 October 2011: Wouter
- Fix resolve of partners.extranet.microsoft.com with a fix for the
server selection for choosing out of a (particular) list of bad
choices. (bug#415)
- Fix make_new_space function so that the incoming query is not
overwritten if a jostled out query causes a waiting query to be
resumed that then fails and sends an error message. (Thanks to
Matthew Lee).
21 October 2011: Wouter
- fix --enable-allsymbols, fptr wlist is disabled on windows with this
option enabled because of memory layout exe vs dll.
19 October 2011: Wouter
- fix unbound-anchor for broken strptime on OSX lion, detected
in configure.
- Detect if GOST really works, openssl1.0 on OSX fails.
- Implement ipv6%interface notation for scope_id usage.
17 October 2011: Wouter
- better documentation for inform_super (Thanks Yang Zhe).
14 October 2011: Wouter
- Fix for out-of-memory condition in libunbound (thanks
Robert Fleischman).
13 October 2011: Wouter
- Fix --enable-allsymbols, it depended on link specifics of the
target platform, or fptr_wlist assertion failures could occur.
12 October 2011: Wouter
- updated contrib/unbound_munin_ to family=auto so that it works with
munin-node-configure automatically (if installed as
/usr/local/share/munin/plugins/unbound_munin_ ).
27 September 2011: Wouter
- unbound.exe -w windows option for start and stop service.
23 September 2011: Wouter
- TCP-upstream calculates tcp-ping so server selection works if there
are alternatives.
20 September 2011: Wouter
- Fix classification of NS set in answer section, where there is a
parent-child server, and the answer has the AA flag for dir.slb.com.
Thanks to Amanda Constant from Secure64.
16 September 2011: Wouter
- fix bug #408: accept patch from Steve Snyder that comments out
unused functions in lookup3.c.
- iana portlist updated.
- fix EDNS1480 change memleak and TCP fallback.
- fix various compiler warnings (reported by Paul Wouters).
- max sent count. EDNS1480 only for rtt < 5000. No promiscuous
fetch if sentcount > 3, stop query if sentcount > 16. Count is
reset when referral or CNAME happens. This makes unbound better
at managing large NS sets, they are explored when there is continued
interest (in the form of queries).
15 September 2011: Wouter
- release 1.4.13.
- trunk contains 1.4.14 in development.
- Unbound probes at EDNS1480 if there an EDNS0 timeout.
12 September 2011: Wouter
- Reverted dns EDNS backoff fix, it did not help and needs
fragmentation fixes instead.
- tag 1.4.13rc2
7 September 2011: Wouter
- Fix operation in ipv6 only (do-ip4: no) mode.
6 September 2011: Wouter
- fedora specfile updated.
5 September 2011: Wouter
- tag 1.4.13rc1
2 September 2011: Wouter
- iana portlist updated.
26 August 2011: Wouter
- Fix num-threads 0 does not segfault, reported by Simon Deziel.
- Fix validation failures due to EDNS backoff retries, the retry
for fetch of data has want_dnssec because the iter_indicate_dnssec
function returns true when validation failure retry happens, and
then the serviced query code does not fallback to noEDNS, even if
the cache says it has this. This helps for DLV deployment when
the DNSSEC status is not known for sure before the lookup concludes.
24 August 2011: Wouter
- Applied patch from Karel Slany that fixes a memory leak in the
unbound python module, in string conversions.
22 August 2011: Wouter
- Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
Zhang and Luo Ce). Unbound responds with the RR types that are
available at the name for qtype ANY and validates those RR types.
It does not test for completeness (i.e. with NSEC or NSEC3 query),
and it does not follow the CNAME or DNAME to another name (with
even more data for the already large response).
- Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
- Documented the options that work with control set_option command.
- tcp-upstream yes/no option (works with set_option) for tunnels.
18 August 2011: Wouter
- fix autoconf call in makedist crosscompile to RC or snapshot.
17 August 2011: Wouter
- Fix validation of . DS query.
- new xml format at IANA, new awk for iana_update.
- iana portlist updated.
10 August 2011: Wouter
- Fix python site-packages path to /usr/lib64.
- updated patch from Tom.
- fix memory and fd leak after out-of-memory condition.
9 August 2011: Wouter
- patch from Tom Hendrikx fixes load of python modules.
8 August 2011: Wouter
- make clean had ldns-src reference, removed.
1 August 2011: Wouter
- Fix autoconf 2.68 warnings
14 July 2011: Wouter
- Unbound implements RFC6303 (since version 1.4.7).
- tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
meantime, those are for 1.4.13).
- iana portlist updated.
13 July 2011: Wouter
- Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
11 July 2011: Wouter
- Fix wildcard expansion no-data reply under an optout NSEC3 zone is
validated as insecure, reported by Jia Li (lijia@cnnic.cn).
4 July 2011: Wouter
- 1.4.12rc1 tag created.
1 July 2011: Wouter
- version number in example config file.
- fix that --enable-static-exe does not complain about it unknown.
30 June 2011: Wouter
- tag relase 1.4.11, trunk is 1.4.12 development.
- iana portlist updated.
- fix bug#395: id bits of other query may leak out under conditions
- fix replyaddr count wrong after jostled queries, which leads to
eventual starvation where the daemon has no replyaddrs left to use.
- fix comment about rndc port, that referred to the old port number.
- fix that the listening socket is not closed when too many remote
control connections are made at the same time.
- removed ldns-src tarball inside the unbound tarball.
23 June 2011: Wouter
- Changed -flto check to support clang compiler.
- tag 1.4.11rc3 created.
17 June 2011: Wouter
- tag 1.4.11rc1 created.
- remove warning about signed/unsigned from flex (other flex version).
- updated aclocal.m4 and libtool to match.
- tag 1.4.11rc2 created.
16 June 2011: Wouter
- log-queries: yesno option, default is no, prints querylog.
- version is 1.4.11.
14 June 2011: Wouter
- Use -flto compiler flag for link time optimization, if supported.
- iana portlist updated.
12 June 2011: Wouter
- IPv6 service address for d.root-servers.net (2001:500:2D::D).
10 June 2011: Wouter
- unbound-control has version number in the header,
UBCT[version]_space_ is the header sent by the client now.
- Unbound control port number is registered with IANA:
ub-dns-control 8953/tcp unbound dns nameserver control
This is the new default for the control-port config setting.
- statistics-interval prints the number of jostled queries to log.
30 May 2011: Wouter
- Fix Makefile for U in environment, since wrong U is more common than
deansification necessity.
- iana portlist updated.
- updated ldns tarball to 1.6.10rc2 snapshot of today.
25 May 2011: Wouter
- Fix assertion failure when unbound generates an empty error reply
in response to a query, CVE-2011-1922 VU#531342.
- This fix is in tag 1.4.10.
- defense in depth against the above bug, an error is printed to log
instead of an assertion failure.
10 May 2011: Wouter
- bug#386: --enable-allsymbols option links all binaries to libunbound
and reduces install size significantly.
- feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
- iana portlist updated.
- Fix TTL of SOA so negative TTL is separately cached from normal TTL.
14 April 2011: Wouter
- configure created with newer autoconf 2.66.
12 April 2011: Wouter
- bug#378: Fix that configure checks for ldns_get_random presence.
8 April 2011: Wouter
- iana portlist updated.
- queries with CD flag set cause DNSSEC validation, but the answer is
not withheld if it is bogus. Thus, unbound will retry if it is bad
and curb the TTL if it is bad, thus protecting the cache for use by
downstream validators.
- val-override-date: -1 ignores dates entirely, for NTP usage.
29 March 2011: Wouter
- harden-below-nxdomain: changed so that it activates when the
cached nxdomain is dnssec secure. This avoids backwards
incompatibility because those old servers do not have dnssec.
24 March 2011: Wouter
- iana portlist updated.
- release 1.4.9.
- trunk is 1.5.0
17 March 2011: Wouter
- bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
Applied but did not do the --disable-gost.
10 March 2011: Wouter
- tag 1.4.9 release candidate 1 created.
3 March 2011: Wouter
- updated ldns to today.
1 March 2011: Wouter
- Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
- give config parse error for multiple names on a stub or forward zone.
- updated ldns tarball to 1.6.9(todays snapshot).
24 February 2011: Wouter
- bug #361: Fix, time.elapsed variable not reset with stats_noreset.
23 February 2011: Wouter
- iana portlist updated.
- common.sh to version 3.
18 February 2011: Wouter
- common.sh in testdata updated to version 2.
15 February 2011: Wouter
- Added explicit note on unbound-anchor usage:
Please note usage of unbound-anchor root anchor is at your own risk
and under the terms of our LICENSE (see that file in the source).
11 February 2011: Wouter
- iana portlist updated.
- tpkg updated with common.sh for common functionality.
7 February 2011: Wouter
- Added regression test for addition of a .net DS to the root, and
cache effects with different TTL for glue and DNSKEY.
- iana portlist updated.
28 January 2011: Wouter
- Fix remove private address does not throw away entire response.
24 January 2011: Wouter
- release 1.4.8
19 January 2011: Wouter
- fix bug#349: no -L/usr for ldns.
18 January 2011: Wouter
- ldns 1.6.8 tarball included.
- release 1.4.8rc1.
17 January 2011: Wouter
- add get and set option for harden-below-nxdomain feature.
- iana portlist updated.
14 January 2011: Wouter
- Fix so a changed NS RRset does not get moved name stuck on old
server, for type NS the TTL is not increased.
13 January 2011: Wouter
- Fix prefetch so it does not get stuck on old server for moved names.
12 January 2011: Wouter
- iana portlist updated.
11 January 2011: Wouter
- Fix insecure CNAME sequence marked as secure, reported by Bert
Hubert.
10 January 2011: Wouter
- faster lruhash get_mem routine.
4 January 2011: Wouter
- bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
- iana portlist updated.
23 December 2010: Wouter
- Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
21 December 2010: Wouter
- algorithm compromise protection using the algorithms signalled in
the DS record. Also, trust anchors, DLV, and RFC5011 receive this,
and thus, if you have multiple algorithms in your trust-anchor-file
then it will now behave different than before. Also, 5011 rollover
for algorithms needs to be double-signature until the old algorithm
is revoked.
It is not an option, because I see no use to turn the security off.
- iana portlist updated.
17 December 2010: Wouter
- squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
- fix validation in this case: CNAME to nodata for co-hosted opt-in
NSEC3 insecure delegation, was bogus, fixed to be insecure.
16 December 2010: Wouter
- Fix our 'BDS' license (typo reported by Xavier Belanger).
10 December 2010: Wouter
- iana portlist updated.
- review changes for unbound-anchor.
2 December 2010: Wouter
- feature typetransparent localzone, does not block other RR types.
1 December 2010: Wouter
- Fix bug#338: print address when socket creation fails.
30 November 2010: Wouter
- Fix storage of EDNS failures in the infra cache.
- iana portlist updated.
18 November 2010: Wouter
- harden-below-nxdomain option, default off (because very old
software may be incompatible). We could enable it by default in
the future.
17 November 2010: Wouter
- implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
- make test output nicer.
15 November 2010: Wouter
- silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
- iana portlist updated.
- so-sndbuf option for very busy servers, a bit like so-rcvbuf.
9 November 2010: Wouter
- unbound-anchor compiles with openssl 0.9.7.
8 November 2010: Wouter
- release tag 1.4.7.
- trunk is version 1.4.8.
- Be lenient and accept imgw.pl malformed packet (like BIND).
5 November 2010: Wouter
- do not synthesize a CNAME message from cache for qtype DS.
4 November 2010: Wouter
- Use central entropy to seed threads.
3 November 2010: Wouter
- Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
2 November 2010: Wouter
- tag 1.4.7rc1.
- code review.
1 November 2010: Wouter
- GOST code enabled by default (RFC 5933).
27 October 2010: Wouter
- Fix uninit value in dump_infra print.
- Fix validation failure for parent and child on same server with an
insecure childzone and a CNAME from parent to child.
- Configure detects libev-4.00.
26 October 2010: Wouter
- dump_infra and flush_infra commands for unbound-control.
- no timeout backoff if meanwhile a query succeeded.
- Change of timeout code. No more lost and backoff in blockage.
At 12sec timeout (and at least 2x lost before) one probe per IP
is allowed only. At 120sec, the IP is blocked. After 15min, a
120sec entry has a single retry packet.
25 October 2010: Wouter
- Configure errors if ldns is not found.
22 October 2010: Wouter
- Windows 7 fix for the installer.
21 October 2010: Wouter
- Fix bug where fallback_tcp causes wrong roundtrip and edns
observation to be noted in cache. Fix bug where EDNSprobe halted
exponential backoff if EDNS status unknown.
- new unresponsive host method, exponentially increasing block backoff.
- iana portlist updated.
20 October 2010: Wouter
- interface automatic works for some people with ip6 disabled.
Therefore the error check is removed, so they can use the option.
19 October 2010: Wouter
- Fix for request list growth, if a server has long timeout but the
lost counter is low, then its effective rtt is the one without
exponential backoff applied. Because the backoff is not working.
The lost counter can then increase and the server is blacklisted,
or the lost counter does not increase and the server is working
for some queries.
18 October 2010: Wouter
- iana portlist updated.
13 October 2010: Wouter
- Fix TCP so it uses a random outgoing-interface.
- unbound-anchor handles ADDPEND keystate.
11 October 2010: Wouter
- Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
the zone has a secure delegation hosted on the same server did not
verify as secure (it was insecure by mistake).
- iana portlist updated.
- ldns tarball updated (for reading cachedumps with bad RR data).
1 October 2010: Wouter
- test for unbound-anchor. fix for reading certs.
- Fix alloc_reg_release for longer uptime in out of memory conditions.
28 September 2010: Wouter
- unbound-anchor working, it creates or updates a root.key file.
Use it before you start the validator (e.g. at system boot time).
27 September 2010: Wouter
- iana portlist updated.
24 September 2010: Wouter
- bug#329: in example.conf show correct ipv4 link-local 169.254/16.
23 September 2010: Wouter
- unbound-anchor app, unbound requires libexpat (xml parser library).
22 September 2010: Wouter
- compliance with draft-ietf-dnsop-default-local-zones-14, removed
reverse ipv6 orchid prefix from builtin list.
- iana portlist updated.
17 September 2010: Wouter
- DLV has downgrade protection again, because the RFC says so.
- iana portlist updated.
16 September 2010: Wouter
- Algorithm rollover operational reality intrudes, for trust-anchor,
5011-store, and DLV-anchor if one key matches it's good enough.
- iana portlist updated.
- Fix reported validation error in out of memory condition.
15 September 2010: Wouter
- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
14 September 2010: Wouter
- increased mesh-max-activation from 1000 to 3000 for crazy domains
like _tcp.slb.com with 262 servers.
- iana portlist updated.
13 September 2010: Wouter
- bug#327: Fix for cannot access stub zones until the root is primed.
9 September 2010: Wouter
- unresponsive servers are not completely blacklisted (because of
firewalls), but also not probed all the time (because of the request
list size it generates). The probe rate is 1%.
- iana portlist updated.
20 August 2010: Wouter
- openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
iterator get_mem includes priv_get_mem. delegpt nodup removed.
listen_pushback, query_info_allocqname, write_socket, send_packet,
comm_point_set_cb_arg and listen_resume removed.
19 August 2010: Wouter
- Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
Delegpt structures checked for duplicates always.
No more nameserver lookups generated when depth is full anyway.
- example.conf notes how to do DNSSEC validation and track the root.
- iana portlist updated.
18 August 2010: Wouter
- Fix bug#322: configure does not respect CFLAGS on Solaris.
Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
if use sun-cc, but some systems need different flags.
16 August 2010: Wouter
- Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
changes, uses m4_bpatsubst now.
- make test (or make check) should be more portable and run the unit
test and testbound scripts. (make longtest has special requirements).
13 August 2010: Wouter
- More pleasant remote control command parsing.
- documentation added for return values reported by doxygen 1.7.1.
- iana portlist updated.
9 August 2010: Wouter
- Fix name of rrset printed that failed validation.
5 August 2010: Wouter
- Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
4 August 2010: Wouter
- Fix validation in case a trust anchor enters into a zone with
unsupported algorithms.
3 August 2010: Wouter
- updated ldns tarball with bugfixes.
- release tag 1.4.6.
- trunk becomes 1.4.7 develop.
- iana portlist updated.
22 July 2010: Wouter
- more error details on failed remote control connection.
15 July 2010: Wouter
- rlimit adjustments for select and ulimit can happen at the same time.
14 July 2010: Wouter
- Donation text added to README.
- Fix integer underflow in prefetch ttl creation from cache. This
fixes a potential negative prefetch ttl.
12 July 2010: Wouter
- Changed the defaults for num-queries-per-thread/outgoing-range.
For builtin-select: 512/960, for libevent 1024/4096 and for
windows 24/48 (because of win api). This makes the ratio this way
to improve resilience under heavy load. For high performance, use
libevent and possibly higher numbers.
10 July 2010: Wouter
- GOST enabled if SSL is recent and ldns has GOST enabled too.
- ldns tarball updated.
9 July 2010: Wouter
- iana portlist updated.
- Fix validation of qtype DNSKEY when a key-cache entry exists but
no rr-cache entry is used (it expired or prefetch), it then goes
back up to the DS or trust-anchor to validate the DNSKEY.
7 July 2010: Wouter
- Neat function prototypes, unshadowed local declarations.
6 July 2010: Wouter
- failure to chown the pidfile is not fatal any more.
- testbound uses UTC timezone.
- ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
/usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.
5 July 2010: Wouter
- log if a server is skipped because it is on the donotquery list,
at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
- added feature to print configure date, target and options with -h.
- added feature to print event backend system details with -h.
- wdiff is not actually required by make test, updated requirements.
1 July 2010: Wouter
- Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
must be signed with all algorithms from the DS rrset at the parent.
This is now checked and becomes bogus if not.
28 June 2010: Wouter
- Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
in overload situations to be about 5 qps for the class of shortly
serviced queries.
The capacity of the resolver is then about (numqueriesperthread / 2)
/ (average time for such long queries) qps for long queries.
And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
qps for short queries, per thread.
- Fix the max number of reply-address count to be applied for duplicate
queries, and not for new query list entries. This raises the memory
usage to a max of (16+1)*numqueriesperthread reply addresses.
25 June 2010: Wouter
- Fix handling of corner case reply from lame server, follows rfc2308.
It could lead to a nodata reply getting into the cache if the search
for a non-lame server turned up other misconfigured servers.
- unbound.h has extern "C" statement for easier include in c++.
23 June 2010: Wouter
- iana portlist updated.
- makedist upgraded cross compile openssl option, like this:
./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
22 June 2010: Wouter
- Unbound reports libev or libevent correctly in logs in verbose mode.
- Fix to unload gost dynamic library module for leak testing.
18 June 2010: Wouter
- iana portlist updated.
17 June 2010: Wouter
- Add AAAA to root hints for I.ROOT-SERVERS.NET.
16 June 2010: Wouter
- Fix assertion failure reported by Kai Storbeck from XS4ALL, the
assertion was wrong.
- updated ldns tarball.
15 June 2010: Wouter
- tag 1.4.5 created.
- trunk contains 1.4.6 in development.
- Fix TCPreply on systems with no writev, if just 1 byte could be sent.
- Fix to use one pointer less for iterator query state store_parent_NS.
- makedist crosscompile to windows uses builtin ldns not host ldns.
- Max referral count from 30 to 130, because 128 one character domains
is valid DNS.
- added documentation for the histogram printout to syslog.
11 June 2010: Wouter
- When retry to parent the retrycount is not wiped, so failed
nameservers are not tried again.
- iana portlist updated.
10 June 2010: Wouter
- Fix bug where a long loop could be entered, now cycle detection
has a loop-counter and maximum search amount.
4 June 2010: Wouter
- iana portlist updated.
- 1.4.5rc1 tag created.
3 June 2010: Wouter
- ldns tarball updated, 1.6.5.
- review comments, split dependency cycle tracking for parentside
last resort lookups for A and AAAA so there are more lookup options.
2 June 2010: Wouter
- Fix compile warning if compiled without threads.
- updated ldns-tarball with current ldns svn (pre 1.6.5).
- GOST disabled-by-default, the algorithm number is allocated but the
RFC is still has to pass AUTH48 at the IETF.
1 June 2010: Wouter
- Ignore Z flag in incoming messages too.
- Fix storage of negative parent glue if that last resort fails.
- libtoolize 2.2.6b, autoconf 2.65 applied to configure.
- new splint flags for newer splint install.
31 May 2010: Wouter
- Fix AD flag handling, it could in some cases mistakenly copy the AD
flag from upstream servers.
- alloc_special_obtain out of memory is not a fatal error any more,
enabling unbound to continue longer in out of memory conditions.
- parentside names are dispreferred but not said to be dnssec-lame.
- parentside check for cached newname glue.
- fix parentside and querytargets modulestate, for dump_requestlist.
- unbound-control-setup makes keys -rw-r--- so not all users permitted.
- fix parentside from cache to be marked dispreferred for bad names.
28 May 2010: Wouter
- iana portlist updated.
- parent-child disagreement approach altered. Older fixes are
removed in place of a more exhaustive search for misconfigured data
available via the parent of a delegation.
This is designed to be throttled by cache entries, with TTL from the
parent if possible. Additionally the loop-counter is used.
It also tests for NS RRset differences between parent and child.
The fetch of misconfigured data should be more reliable and thorough.
It should work reliably even with no or only partial data in cache.
Data received from the child (as always) is deemed more
authoritative than information received from the delegation parent.
The search for misconfigured data is not performed normally.
26 May 2010: Wouter
- Contribution from Migiel de Vos (Surfnet): nagios patch for
unbound-host, in contrib/ (in the source tarball). Makes
unbound-host suitable for monitoring dnssec(-chain) status.
21 May 2010: Wouter
- EDNS timeout code will not fire if EDNS status already known.
- EDNS failure not stored if EDNS status known to work.
19 May 2010: Wouter
- Fix resolution for domains like safesvc.com.cn. If the iterator
can not recurse further and it finds the delegation in a state
where it would otherwise have rejected it outhand if so received
from a cache lookup, then it can try to ask higherup (with loop
protection).
- Fix comments in iter_utils:dp_is_useless.
18 May 2010: Wouter
- Fix various compiler warnings from the clang llvm compiler.
- iana portlist updated.
6 May 2010: Wouter
- Fix bug#308: spelling error in variable name in parser and lexer.
4 May 2010: Wouter
- Fix dnssec-missing detection that was turned off by server selection.
- Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
29 April 2010: Wouter
- Fix for dnssec lameness detection to use the key cache.
- infra cache entries that are expired are wiped clean. Previously
it was possible to not expire host data (if accessed often).
28 April 2010: Wouter
- ldns tarball updated and GOST support is detected and then enabled.
- iana portlist updated.
- Fix detection of gost support in ldns (reported by Chris Smith).
27 April 2010: Wouter
- unbound-control get_option domain-insecure shows config file items.
- fix retry sequence if prime hints are recursion-lame.
- autotrust anchor file can be initialized with a ZSK key as well.
- harden-referral-path does not result in failures due to max-depth.
You can increase the max-depth by adding numbers (' 0') after the
target-fetch-policy, this increases the depth to which is checked.
26 April 2010: Wouter
- Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
CPPFLAGS during configure process.
- if libev is installed on the base system (not libevent), detect
it from the event.h header file and link with -lev.
- configlexer.lex gets config.h, and configyyrename.h added by make,
no more double include.
- More strict scrubber (Thanks to George Barwood for the idea):
NS set must be pertinent to the query (qname subdomain nsname).
- Fix bug#307: In 0x20 backoff fix fallback so the number of
outstanding queries does not become -1 and block the request.
Fixed handling of recursion-lame in combination with 0x20 fallback.
Fix so RRsets are compared canonicalized and sorted if the immediate
comparison fails, this makes it work around round-robin sites.
23 April 2010: Wouter
- Squelch log message: sendto failed permission denied for
255.255.255.255, it is visible in VERB_DETAIL (verbosity 2).
- Fix to fetch data as last resort more tenaciously. When cycle
targets cause the server selection to believe there are more options
when they really are not there, the server selection is reinitiated.
- Fix fetch from blacklisted dnssec lame servers as last resort. The
server's IP address is then given in validator errors as well.
- Fix local-zone type redirect that did not use the query name for
the answer rrset.
22 April 2010: Wouter
- tag 1.4.4.
- trunk contains 1.4.5 in development.
- Fix validation failure for qtype ANY caused by a RRSIG parse failure.
The validator error message was 'no signatures from ...'.
16 April 2010: Wouter
- more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
- tag 1.4.4rc1.
15 April 2010: Wouter
- ECC-GOST algorithm number 12 that is assigned by IANA. New test
example key and signatures for GOST. GOST requires openssl-1.0.0.
GOST is still disabled by default.
9 April 2010: Wouter
- Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
get into an endless loop, if 0x20 was enabled, and buffers are small
or particular broken packets are received.
- Fix chain of trust with CNAME at an intermediate step, for the DS
processing proof.
8 April 2010: Wouter
- Fix validation of queries with wildcard names (*.example).
6 April 2010: Wouter
- Fix EDNS probe for .de DNSSEC testbed failure, where the infra
cache timeout coincided with a server update, the current EDNS
backoff is less sensitive, and does not cache the backoff unless
the backoff actually works and the domain is not expecting DNSSEC.
- GOST support with correct algorithm numbers.
1 April 2010: Wouter
- iana portlist updated.
24 March 2010: Wouter
- unbound control flushed items are not counted when flushed again.
23 March 2010: Wouter
- iana portlist updated.
22 March 2010: Wouter
- unbound-host disables use-syslog from config file so that the
config file for the main server can be used more easily.
- fix bug#301: unbound-checkconf could not parse interface
'0.0.0.0@5353', even though unbound itself worked fine.
19 March 2010: Wouter
- fix fwd_ancil test to pass if the socket options are not supported.
18 March 2010: Wouter
- Fixed random numbers for port, interface and server selection.
Removed very small bias.
- Refer to the listing in unbound-control man page in the extended
statistics entry in the unbound.conf man page.
16 March 2010: Wouter
- Fix interface-automatic for OpenBSD: msg.controllen was too small,
also assertions on ancillary data buffer.
- check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
- for NSEC3 check if signatures are cached.
15 March 2010: Wouter
- unit test for util/regional.c.
12 March 2010: Wouter
- Reordered configure checks so fork and -lnsl -lsocket checks are
earlier, and thus later checks benefit from and do not hinder them.
- iana portlist updated.
- ldns tarball updated.
- Fix python use when multithreaded.
- Fix solaris python compile.
- Include less in config.h and include per code file for ldns, ssl.
11 March 2010: Wouter
- another memory allocation option: --enable-alloc-nonregional.
exposes the regional allocations to other memory purifiers.
- fix for memory alignment in struct sock_list allocation.
- Fix for MacPorts ldns without ssl default, unbound checks if ldns
has dnssec functionality and uses the builtin if not.
- Fix daemonize on Solaris 10, it did not detach from terminal.
- tag 1.4.3 created.
- trunk is 1.4.4 in development.
- spelling fix in validation error involving cnames.
10 March 2010: Wouter
- --enable-alloc-lite works with test set.
- portability in the testset: printf format conversions, prototypes.
9 March 2010: Wouter
- tag 1.4.2 created.
- trunk is 1.4.3 in development.
- --enable-alloc-lite debug option.
8 March 2010: Wouter
- iana portlist updated.
4 March 2010: Wouter
- Fix crash in control channel code.
3 March 2010: Wouter
- better casts in pipe code, brackets placed wrongly.
- iana portlist updated.
1 March 2010: Wouter
- make install depends on make all.
- Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
- --enable-checking: enables assertions but does not look nonproduction.
- nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
nxdomain and nodata distinguished.
- ldns tarball updated.
- --disable-rpath fixed for libtool not found errors.
- new fedora specfile from Fedora13 in contrib from Paul Wouters.
26 February 2010: Wouter
- Fixup prototype for lexer cleanup in daemon code.
- unbound-control list_stubs, list_forwards, list_local_zones and
list_local_data.
24 February 2010: Wouter
- Fix scrubber bug that potentially let NS records through. Reported
by Amanda Constant.
- Also delete potential poison references from additional.
- Fix: no classification of a forwarder as lame, throw away instead.
23 February 2010: Wouter
- libunbound ub_ctx_get_option() added.
- unbound-control set_option and get_option commands.
- iana portlist updated.
18 February 2010: Wouter
- A little more strict DS scrubbing.
- No more blacklisting of unresponsive servers, a 2 minute timeout
is backed off to.
- RD flag not enabled for dnssec-blacklisted tries, unless necessary.
- pickup ldns compile fix, libdl for libcrypto.
- log 'tcp connect: connection timed out' only in high verbosity.
- unbound-control log_reopen command.
- moved get_option code from unbound-checkconf to util/config_file.c
17 February 2010: Wouter
- Disregard DNSKEY from authority section for chain of trust.
DS records that are irrelevant to a referral scrubbed. Anti-poison.
- iana portlist updated.
16 February 2010: Wouter
- Check for 'no space left on device' (or other errors) when
writing updated autotrust anchors and print errno to log.
15 February 2010: Wouter
- Fixed the requery protection, the TTL was 0, it is now 900 seconds,
hardcoded. We made the choice to send out more conservatively,
protecting against an aggregate effect more than protecting a
single user (from their own folly, perhaps in case of misconfig).
12 February 2010: Wouter
- Re-query pattern changed on validation failure. To protect troubled
authority servers, unbound caches a failure for the DNSKEY or DS
records for the entire zone, and only retries that 900 seconds later.
This implies that only a handful of packets are sent extra to the
authority if the zone fails.
11 February 2010: Wouter
- ldns tarball update for long label length syntax error fix.
- iana portlist updated.
9 February 2010: Wouter
- Fixup in compat snprintf routine, %f 1.02 and %g support.
- include math.h for testbound test compile portability.
2 February 2010: Wouter
- Updated url of IANA itar, interim trust anchor repository, in script.
1 February 2010: Wouter
- iana portlist updated.
- configure test for memcmp portability.
27 January 2010: Wouter
- removed warning on format string in validator error log statement.
- iana portlist updated.
22 January 2010: Wouter
- libtool finish the install of unbound python dynamic library.
21 January 2010: Wouter
- acx_nlnetlabs.m4 synchronised with nsd's version.
20 January 2010: Wouter
- Fixup lookup trouble for parent-child domains on the first query.
14 January 2010: Wouter
- Fixup ldns detection to also check for header files.
13 January 2010: Wouter
- prefetch-key option that performs DNSKEY queries earlier in the
validation process, and that could halve the latency on DNSSEC
queries. It takes some extra processing (CPU, a cache is needed).
12 January 2010: Wouter
- Fix unbound-checkconf for auto-trust-anchor-file present checks.
8 January 2010: Wouter
- Fix for parent-child disagreement code which could have trouble
when (a) ipv6 was disabled and (b) the TTL for parent and child
were different. There were two bugs, the parent-side information
is fixed to no longer block lookup of child side information and
the iterator is fixed to no longer attempt to get ipv6 when it is
not enabled and then give up in failure.
- test and fixes to make prefetch actually store the answer in the
cache. Considers some rrsets 'already expired' but does not allow
overwriting of rrsets considered more secure.
7 January 2010: Wouter
- Fixup python documentation (thanks Leo Vandewoestijne).
- Work on cache prefetch feature.
- Stats for prefetch, in log print stats, unbound-control stats
and in unbound_munin plugin.
6 January 2010: Wouter
- iana portlist updated.
- bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
- verbose output includes parent-side-address notion for lameness.
- documented val-log-level: 2 setting in example.conf and man page.
- change unbound-control-setup from 1024(sha1) to 1536(sha256).
1 January 2010: Wouter
- iana portlist updated.
22 December 2009: Wouter
- configure with newer libtool 2.2.6b.
17 December 2009: Wouter
- review comments.
- tag 1.4.1.
- trunk to version 1.4.2.
15 December 2009: Wouter
- Answer to qclass=ANY queries, with class IN contents.
Test that validation also works.
- updated ldns snapshot tarball with latest fixes (parsing records).
11 December 2009: Wouter
- on IPv4 UDP turn off DF flag.
10 December 2009: Wouter
- requirements.txt updated with design choice explanations.
- Reading fixes: fix to set unlame when child confirms parent glue,
and fix to avoid duplicate addresses in delegation point.
- verify_rrsig routine checks expiration last.
9 December 2009: Wouter
- Fix Bug#287(reopened): update of ldns tarball with fix for parse
errors generated for domain names like '.example.com'.
- Fix SOA excluded from negative DS responses. Reported by Hauke
Lampe. The negative cache did not include proper SOA records for
negative qtype DS responses which makes BIND barf on it, such
responses are now only used internally.
- Fix negative cache lookup of closestencloser check of DS type bit.
8 December 2009: Wouter
- Fix for lookup of parent-child disagreement domains, where the
parent-side glue works but it does not provide proper NS, A or AAAA
for itself, fixing domains such as motorcaravanners.eu.
- Feature: you can specify a port number in the interface: line, so
you can bind the same interface multiple times at different ports.
7 December 2009: Wouter
- Bug#287: Fix segfault when unbound-control remove nonexistent local
data. Added check to tests.
1 December 2009: Wouter
- Fix crash with module-config "iterator".
- Added unit test that has "iterator" module-config.
30 November 2009: Wouter
- bug#284: fix parse of # without end-of-line at end-of-file.
26 November 2009: Wouter
- updated ldns with release candidate for version 1.6.3.
- tag for 1.4.0 release.
- 1.4.1 version in trunk.
- Fixup major libtool version to 2 because of why_bogus change.
It was 1:5:0 but should have been 2:0:0.
23 November 2009: Wouter
- Patch from David Hubbard for libunbound manual page.
- Fixup endless spinning in unbound-control stats reported by
Attila Nagy. Probably caused by clock reversal.
20 November 2009: Wouter
- contrib/split-itar.sh contributed by Tom Hendrikx.
19 November 2009: Wouter
- better argument help for unbound-control.
- iana portlist updated.
17 November 2009: Wouter
- noted multiple entries for multiple domain names in example.conf.
- iana portlist updated.
16 November 2009: Wouter
- Fixed signer detection of CNAME responses without signatures.
- Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
- Tests for CNAMEs to deeper trust anchors, secure and bogus.
- svn tag 1.4.0rc1 made.
13 November 2009: Wouter
- Fixed validation failure for CNAME to optout NSEC3 nodata answer.
- unbound-host does not fail on type ANY.
- Fixed wireparse failure to put RRSIGs together with data in some
long ANY mix cases, which fixes validation failures.
12 November 2009: Wouter
- iana portlist updated.
- fix manpage errors reported by debian lintian.
- review comments.
- fixup very long vallog2 level error strings.
11 November 2009: Wouter
- ldns tarball updated (to 1.6.2).
- review comments.
10 November 2009: Wouter
- Thanks to Surfnet found bug in new dnssec-retry code that failed
to combine well when combined with DLV and a particular failure.
- Fixed unbound-control -h output about argument optionality.
- review comments.
5 November 2009: Wouter
- lint fixes and portability tests.
- better error text for multiple domain keys in one autotrust file.
2 November 2009: Wouter
- Fix bug where autotrust does not work when started with a DS.
- Updated GOST unit tests for unofficial algorithm number 249
and DNSKEY-format changes in draft version -01.
29 October 2009: Wouter
- iana portlist updated.
- edns-buffer-size option, default 4096.
- fixed do-udp: no.
28 October 2009: Wouter
- removed abort on prealloc failure, error still printed but softfail.
- iana portlist updated.
- RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
- ldns tarball updated (which also enables rsasha256 support).
27 October 2009: Wouter
- iana portlist updated.
8 October 2009: Wouter
- please doxygen
- add val-log-level print to corner case (nameserver.epost.bg).
- more detail to errors from insecure delegation checks.
- Fix double time subtraction in negative cache reported by
Amanda Constant and Hugh Mahon.
- Made new validator error string available from libunbound for
applications. It is in result->why_bogus, a zero-terminated string.
unbound-host prints it by default if a result is bogus.
Also the errinf is public in module_qstate (for other modules).
7 October 2009: Wouter
- retry for validation failure in DS and prime results. Less mem use.
unit test. Provisioning in other tests for requeries.
- retry for validation failure in DNSKEY in middle of chain of trust.
unit test.
- retry for empty non terminals in chain of trust and unit test.
- Fixed security bug where the signatures for NSEC3 records were not
checked when checking for absence of DS records. This could have
enabled the substitution of an insecure delegation.
- moved version number to 1.4.0 because of 1.3.4 release with only
the NSEC3 patch from the entry above.
- val-log-level: 2 shows extended error information for validation
failures, but still one (longish) line per failure. For example:
validation failure <example.com. DNSKEY IN>: signature expired from
192.0.2.4 for trust anchor example.com. while building chain of trust
validation failure <www.example.com. A IN>: no signatures from
192.0.2.6 for key example.com. while building chain of trust
6 October 2009: Wouter
- Test set updated to provide additional ns lookup result.
The retry would attempt to fetch the data from other nameservers
for bogus data, and this needed to be provisioned in the tests.
5 October 2009: Wouter
- first validation failure retry code. Retries for data failures.
And unit test.
2 October 2009: Wouter
- improve 5011 modularization.
- fix unbound-host so -d can be given before -C.
- iana portlist updated.
28 September 2009: Wouter
- autotrust-anchor-file can read multiline input and $ORIGIN.
- prevent integer overflow in holddown calculation. review fixes.
- fixed race condition in trust point revocation. review fix.
- review fixes to comments, removed unused code.
25 September 2009: Wouter
- so-rcvbuf: 4m option added. Set this on large busy servers to not
drop the occasional packet in spikes due to full socket buffers.
netstat -su keeps a counter of UDP dropped due to full buffers.
- review of validator/autotrust.c, small fixes and comments.
23 September 2009: Wouter
- 5011 query failed counts verification failures, not lookup failures.
- 5011 probe failure handling fixup.
- test unbound reading of original autotrust data.
The metadata per-key, such as key state (PENDING, MISSING, VALID) is
picked up, otherwise performs initial probe like usual.
22 September 2009: Wouter
- autotrust test with algorithm rollover, new ordering of checks
assists in orderly rollover.
- autotrust test with algorithm rollover to unknown algorithm.
checks if new keys are supported before adding them.
- autotrust test with trust point revocation, becomes unsigned.
- fix DNSSEC-missing-signature detection for minimal responses
for qtype DNSKEY (assumes DNSKEY occurs at zone apex).
18 September 2009: Wouter
- autotrust tests, fix trustpoint timer deletion code.
fix count of valid anchors during missing remove.
- autotrust: pick up REVOKE even if not signed with known other keys.
17 September 2009: Wouter
- fix compile of unbound-host when --enable-alloc-checks.
- Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
- Manual page fixes reported by Tony Finch.
16 September 2009: Wouter
- Fix memory leak reported by Tao Ma.
- Fix memstats test tool for log-time-ascii log format.
15 September 2009: Wouter
- iana portlist updated.
10 September 2009: Wouter
- increased MAXSYSLOGLEN so .bg key can be printed in debug output.
- use linebuffering for log-file: output, this can be significantly
faster than the previous fflush method and enable some class of
resolvers to use high verbosity (for short periods).
Not on windows, because line buffering does not work there.
9 September 2009: Wouter
- Fix bug where DNSSEC-bogus messages were marked with too high TTL.
The RRsets would still expire at the normal time, but this would
keep messages bogus in the cache for too long.
- regression test for that bug.
- documented that load_cache is meant for debugging.
8 September 2009: Wouter
- fixup printing errors when load_cache, they were printed to the
SSL connection which broke, now to the log.
- new ldns - with fixed parse of large SOA values.
7 September 2009: Wouter
- autotrust testbound scenarios.
- autotrust fix that failure count is written to file.
- autotrust fix that keys may become valid after add holddown time
alone, before the probe returns.
4 September 2009: Wouter
- Changes to make unbound work with libevent-2.0.3 alpha. (in
configure detection due to new ssl dependency in libevent)
- do not call sphinx for documentation when python is disabled.
- remove EV_PERSIST from libevent timeout code to make the code
compatible with the libevent-2.0. Works with older libevent too.
- fix memory leak in python code.
3 September 2009: Wouter
- Got a patch from Luca Bruno for libunbound support on windows to
pick up the system resolvconf nameservers and hosts there.
- included ldns updated (enum warning fixed).
- makefile fix for parallel makes.
- Patch from Zdenek Vasicek and Attila Nagy for using the source IP
from python scripts. See pythonmod/examples/resip.py.
- doxygen comment fixes.
2 September 2009: Wouter
- TRAFFIC keyword for testbound. Simplifies test generation.
${range lower val upper} to check probe timeout values.
- test with 5011-prepublish rollover and revocation.
- fix revocation of RR for autotrust, stray exclamation mark.
1 September 2009: Wouter
- testbound variable arithmetic.
- autotrust probe time is randomised.
- autotrust: the probe is active and does not fetch from cache.
31 August 2009: Wouter
- testbound variable processing.
28 August 2009: Wouter
- fixup unbound-control lookup to print forward and stub servers.
27 August 2009: Wouter
- autotrust: mesh answer callback is empty.
26 August 2009: Wouter
- autotrust probing.
- iana portlist updated.
25 August 2009: Wouter
- fixup memleak in trust anchor unsupported algorithm check.
- iana portlist updated.
- autotrust options: add-holddown, del-holddown, keep-missing.
- autotrust store revoked status of trust points.
- ctime_r compat definition.
- detect yylex_destroy() in configure.
- detect SSL_get_compression_methods declaration in configure.
- fixup DS lookup at anchor point with unsigned parent.
- fixup DLV lookup for DS queries to unsigned domains.
24 August 2009: Wouter
- cleaner memory allocation on exit. autotrust test routines.
- free all memory on program exit, fix for ssl and flex.
21 August 2009: Wouter
- autotrust: debug routines. Read,write and conversions work.
20 August 2009: Wouter
- autotrust: save and read trustpoint variables.
19 August 2009: Wouter
- autotrust: state table updates.
- iana portlist updated.
17 August 2009: Wouter
- autotrust: process events.
17 August 2009: Wouter
- Fix so that servers are only blacklisted if they fail to reply
to 16 queries in a row and the timeout gets above 2 minutes.
- autotrust work, split up DS verification of DNSKEYs.
14 August 2009: Wouter
- unbound-control lookup prints out infra cache information, like RTT.
- Fix bug in DLV lookup reported by Amanda from Secure64.
It could sometimes wrongly classify a domain as unsigned, which
does not give the AD bit on replies.
13 August 2009: Wouter
- autotrust read anchor files. locked trust anchors.
12 August 2009: Wouter
- autotrust import work.
11 August 2009: Wouter
- Check for openssl compatible with gost if enabled.
- updated unit test for GOST=211 code.
Nicer naming of test files.
- iana portlist updated.
7 August 2009: Wouter
- call OPENSSL_config() in unbound and unit test so that the
operator can use openssl.cnf for configuration options.
- removed small memory leak from config file reader.
6 August 2009: Wouter
- configure --enable-gost for GOST support, experimental
implementation of draft-dolmatov-dnsext-dnssec-gost-01.
- iana portlist updated.
- ldns tarball updated (with GOST support).
5 August 2009: Wouter
- trunk moved to 1.3.4.
4 August 2009: Wouter
- Added test that the examples from draft rsasha256-14 verify.
- iana portlist updated.
- tagged 1.3.3
3 August 2009: Wouter
- nicer warning when algorithm not supported, tells you to upgrade.
- iana portlist updated.
27 July 2009: Wouter
- Updated unbound-cacti contribution from Dmitriy Demidov, with
the queue statistics displayed in its own graph.
- iana portlist updated.
22 July 2009: Wouter
- Fix bug found by Michael Tokarev where unbound would try to
prime the root servers even though forwarders are configured for
the root.
- tagged 1.3.3rc1
21 July 2009: Wouter
- Fix server selection, so that it waits for open target queries when
faced with lameness.
20 July 2009: Wouter
- Ignore transient sendto errors, no route to host, and host, net down.
- contrib/update-anchor.sh has -r option for root-hints.
- feature val-log-level: 1 prints validation failures so you can
keep track of them during dnssec deployment.
16 July 2009: Wouter
- fix replacement malloc code. Used in crosscompile.
- makedist -w creates crosscompiled setup.exe on fedora11.
15 July 2009: Wouter
- dependencies for compat items, for crosscompile.
- mingw32 crosscompile changes, dependencies and zipfile creation.
and with System.dll from the windows NSIS you can make setup.exe.
- package libgcc_s_sjlj exception handler for NSISdl.dll.
14 July 2009: Wouter
- updated ldns tarball for solaris x64 compile assistance.
- no need to define RAND_MAX from config.h.
- iana portlist updated.
- configure changes and ldns update for mingw32 crosscompile.
13 July 2009: Wouter
- Fix for crash at start on windows.
- tag for release 1.3.2.
- trunk has version 1.3.3.
- Fix for ID bits on windows to use all 16. RAND_MAX was not
defined like you'd expect on mingw. Reported by Mees de Roo.
9 July 2009: Wouter
- tag for release 1.3.1.
- trunk has version 1.3.2.
7 July 2009: Wouter
- iana portlist updated.
6 July 2009: Wouter
- prettier error handling in SSL setup.
- makedist.sh uname fix (same as ldns).
- updated fedora spec file.
3 July 2009: Wouter
- fixup linking when ldnsdir is "".
30 June 2009: Wouter
- more lenient truncation checks.
29 June 2009: Wouter
- ldns trunk r2959 imported as tarball, because of solaris cc compile
support for c99. r2960 for better configure.
- better wrongly_truncated check.
- On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
avoid dropped packets at routers.
26 June 2009: Wouter
- Fix EDNS fallback when EDNS works for short answers but long answers
are dropped.
22 June 2009: Wouter
- fixup iter priv strict aliasing while preserving size of sockaddr.
- iana portlist updated. (one less port allocated, one more fraction
of a bit for security!)
- updated fedora specfile in contrib from Paul Wouters.
19 June 2009: Wouter
- Fixup strict aliasing warning in iter priv code.
and config_file code.
- iana portlist updated.
- harden-referral-path: handle cases where NS is in answer section.
18 June 2009: Wouter
- Fix of message parse bug where (specifically) an NSEC and RRSIG
in the wrong order would be parsed, but put wrongly into internal
structures so that later validation would fail.
- Extreme lenience for wrongly truncated replies where a positive
reply has an NS in the authority but no signatures. They are
turned into minimal responses with only the (secure) answer.
- autoconf 2.63 for configure.
- python warnings suppress. Keep python API away from header files.
17 June 2009: Wouter
- CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
used for the python code in unbound. (http://www.nic.cz/vip/ in cz).
16 June 2009: Wouter
- Fixup opportunistic target query generation to it does not
generate queries that are known to fail.
- Touchup on munin total memory report.
- messages picked out of the cache by the iterator are checked
if their cname chain is still correct and if validation status
has to be reexamined.
15 June 2009: Wouter
- iana portlist updated.
14 June 2009: Wouter
- Fixed bug where cached responses would lose their security
status on second validation, which especially impacted dlv
lookups. Reported by Hauke Lampe.
13 June 2009: Wouter
- bug #254. removed random whitespace from example.conf.
12 June 2009: Wouter
- Fixup potential wrong NSEC picked out of the cache.
- If unfulfilled callbacks are deleted they are called with an error.
- fptr wlist checks for mesh callbacks.
- fwd above stub in configuration works.
11 June 2009: Wouter
- Fix queries for type DS when forward or stub zones are there.
They are performed to higherup domains, and thus treated as if
going to higher zones when looking up the right forward or stub
server. This makes a stub pointing to a local server that has
a local view of example.com signed with the same keys as are
publicly used work. Reported by Johan Ihren.
- Added build-unbound-localzone-from-hosts.pl to contrib, from
Dennis DeDonatis. It converts /etc/hosts into config statements.
- same thing fixed for forward-zone and DS, chain of trust from
public internet into the forward-zone works now. Added unit test.
9 June 2009: Wouter
- openssl key files are opened apache-style, when user is root and
before chrooting. This makes permissions on remote-control key
files easier to set up. Fixes bug #251.
- flush_type and flush_name remove msg cache entries.
- codereview - dp copy bogus setting fix.
8 June 2009: Wouter
- Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
inadvertant behaviour.
- 1.3.0 tarball for release created.
- 1.3.1 development in svn trunk.
- iana portlist updated.
- fix lint from complaining on ldns/sha.h.
- help compiler figure out aliasing in priv_rrset_bad() routine.
- fail to configure with python if swig is not found.
- unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
3 June 2009: Wouter
- fixup bad free() when wrongly encoded DSA signature is seen.
Reported by Paul Wouters.
- review comments from Matthijs.
2 June 2009: Wouter
- --enable-sha2 option. The draft rsasha256 changed its algorithm
numbers too often. Therefore it is more prudent to disable the
RSASHA256 and RSASHA512 support by default.
- ldns trunk included as new tarball.
- recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
29 May 2009: Wouter
- fixup doc bug in README reported by Matthew Dempsky.
28 May 2009: Wouter
- update iana port list
- update ldns lib tarball
27 May 2009: Wouter
- detect lack of IPv6 support on XP (with a different error code).
- Fixup a crash-on-exit which was triggered by a very long queue.
Unbound would try to re-use ports that came free, but this is
of course not really possible because everything is deleted.
Most easily triggered on XP (not Vista), maybe because of the
network stack encouraging large messages backlogs.
- change in debug statements.
- Fixed bug that could cause a crash if root prime failed when there
were message backlogs.
26 May 2009: Wouter
- Thanks again to Brett Carr, found an assertion that was not true.
Assertion checked if recursion parent query still existed.
29 April 2009: Wouter
- Thanks to Brett Carr, caught windows resource leak, use
closesocket() and not close() on sockets or else the network stack
starts to leak handles.
- Removed usage of windows Mutex because windows cannot handle enough
mutexes open. Provide own mutex implementation using primitives.
28 April 2009: Wouter
- created svn tag for 1.3.0.
27 April 2009: Wouter
- optimised cname from cache.
- ifdef windows functions in testbound.
23 April 2009: Wouter
- fix for threadsafety in solaris thr_key_create() in tests.
- iana portlist updated.
- fix pylib test for Darwin.
- fix pymod test for Darwin and a python threading bug in pymod init.
- check python >= 2.4 in configure.
- -ldl check for libcrypto 1.0.0beta.
21 April 2009: Wouter
- fix for build outside sourcedir.
- fix for configure script swig detection.
17 April 2009: Wouter
- Fix reentrant in minievent handler for unix. Could have resulted
in spurious event callbacks.
- timers do not take up a fd slot for winsock handler.
- faster fix for winsock reentrant check.
- fix rsasha512 unit test for new (interim) algorithm number.
- fix test:ldns doesn't like DOS line endings in keyfiles on unix.
- fix compile warning on ubuntu (configlexer fwrite return value).
- move python include directives into CPPFLAGS instead of CFLAGS.
16 April 2009: Wouter
- winsock event handler exit very quickly on signal, even if
under heavy load.
- iana portlist updated.
- fixup windows winsock handler reentrant problem.
14 April 2009: Wouter
- bug #245: fix munin plugin, perform cleanup of stale lockfiles.
- makedist.sh; better help text.
- cache-min-ttl option and tests.
- mingw detect error condition on TCP sockets (NOTCONN).
9 April 2009: Wouter
- Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
- ldns tarball updated.
- iana portlist update.
- detect GOST support in openssl-1.0.0-beta1, and fix compile problem
because that openssl defines the name STRING for itself.
6 April 2009: Wouter
- windows compile fix.
- Detect FreeBSD jail without ipv6 addresses assigned.
- python libunbound wrapper unit test.
- installs the following files. Default is to not build them.
from configure --with-pythonmodule:
/usr/lib/python2.x/site-packages/unboundmodule.py
from configure --with-pyunbound:
/usr/lib/python2.x/site-packages/unbound.py
/usr/lib/python2.x/site-packages/_unbound.so*
The example python scripts (pythonmod/examples and
libunbound/python/examples) are not installed.
- python invalidate routine respects packed rrset ids and locks.
- clock skew checks in unbound, config statements.
- nxdomain ttl considerations in requirements.txt
3 April 2009: Wouter
- Fixed a bug that caused messages to be stored in the cache too
long. Hard to trigger, but NXDOMAINs for nameservers or CNAME
targets have been more vulnerable to the TTL miscalculation bug.
- documentation test fixed for python addition.
2 April 2009: Wouter
- pyunbound (libunbound python plugin) compiles using libtool.
- documentation for pythonmod and pyunbound is generated in doc/html.
- iana portlist updated.
- fixed bug in unbound-control flush_zone where it would not flush
every message in the target domain. This especially impacted
NXDOMAIN messages which could remain in the cache regardless.
- python module test package.
1 April 2009: Wouter
- suppress errors when trying to contact authority servers that gave
ipv6 AAAA records for their nameservers with ipv4 mapped contents.
Still tries to do so, could work when deployed in intranet.
Higher verbosity shows the error.
- new libunbound calls documented.
- pyunbound in libunbound/python. Removed compile warnings.
Makefile to make it.
30 March 2009: Wouter
- Fixup LDFLAGS from libevent sourcedir compile configure restore.
- Fixup so no non-absolute rpaths are added.
- Fixup validation of RRSIG queries, they are let through.
- read /dev/random before chroot
- checkconf fix no python checks when no python module enabled.
- fix configure, pthread first, so other libs do not change outcome.
27 March 2009: Wouter
- nicer -h output. report linked libraries and modules.
- prints modules in intuitive order (config file friendly).
- python compiles easily on BSD.
26 March 2009: Wouter
- ignore swig varargs warnings with gcc.
- remove duplicate example.conf text from python example configs.
- outofdir compile fix for python.
- pyunbound works.
- print modules compiled in on -h. manpage.
25 March 2009: Wouter
- initial import of the python contribution from Zdenek Vasicek and
Marek Vavrusa.
- pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
24 March 2009: Wouter
- more neat configure.ac. Removed duplicate config.h includes.
- neater config.h.in.
- iana portlist updated.
- fix util/configlexer.c and solaris -std=c99 flag.
- fix postcommit aclocal errors.
- spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
- swap order of host detect and libtool generation.
23 March 2009: Wouter
- added launchd plist example file for MacOSX to contrib.
- deprecation test for daemon(3).
- moved common configure actions to m4 include, prettier Makefile.
20 March 2009: Wouter
- bug #239: module-config entries order is important. Documented.
- build fix for test asynclook.
19 March 2009: Wouter
- winrc/README.txt dos-format text file.
- iana portlist updated.
- use _beginthreadex() when available (performs stack alignment).
- defaults for windows baked into configure.ac (used if on mingw).
18 March 2009: Wouter
- Added tests, unknown algorithms become insecure. fallback works.
- Fix for and test for unknown algorithms in a trust anchor
definition. Trust anchors with no supported algos are ignored.
This means a (higher)DS or DLV entry for them could succeed, and
otherwise they are treated as insecure.
- domain-insecure: "example.com" statement added. Sets domain
insecure regardless of chain of trust DSs or DLVs. The inverse
of a trust-anchor.
17 March 2009: Wouter
- unit test for unsupported algorithm in anchor warning.
- fixed so queries do not fail on opportunistic target queries.
16 March 2009: Wouter
- fixup diff error printout in contrib/update-itar.sh.
- added contrib/unbound_cacti for statistics support in cacti,
contributed by Dmitriy Demidov.
13 March 2009: Wouter
- doxygen and lex/yacc on linux.
- strip update-anchor on makedist -w.
- fix testbound on windows.
- default log to syslog for windows.
- uninstaller can stop unbound - changed text on it to reflect that.
- remove debugging from windows 'cron' actions.
12 March 2009: Wouter
- log to App.logs on windows prints executable identity.
- fixup tests.
- munin plugin fix benign locking error printout.
- anchor-update for windows, called every 24 hours; unbound reloads.
11 March 2009: Wouter
- winsock event handler resets WSAevents after signalled.
- winsock event handler tests if signals are really signalled.
- install and service with log to file works on XP and Vista on
default install location.
- on windows logging to the Application logbook works (as a service).
- fix RUN_DIR on windows compile setting in makedist.
- windows registry has Software\Unbound\ConfigFile element.
If does not exist, the default is used. The -c switch overrides it.
- fix makedist version cleanup function.
10 March 2009: Wouter
- makedist -w strips out old rc.. and snapshot info from version.
- setup.exe starts and stops unbound after install, before uninstall.
- unbound-checkconf recognizes absolute pathnames on windows (C:...).
9 March 2009: Wouter
- Nullsoft NSIS installer creation script.
5 March 2009: Wouter
- fixup memory leak introduced on 18feb in mesh reentrant fix.
3 March 2009: Wouter
- combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
- service works on xp/vista, no config necessary (using defaults).
- windows registry settings.
2 March 2009: Wouter
- fixup --export-symbols to be -export-symbls for libtool.
This should fix extraneous symbols exported from libunbound.
Thanks to Ondrej Sury and Robert Edmonds for finding it.
- iana portlist updated.
- document FAQ entry on stub/forward zones and default blocking.
- fix asynclook test app for libunbound not exporting symbols.
- service install and remove utils that work with vista UAC.
27 February 2009: Wouter
- Fixup lexer, to not give warnings about fwrite. Appeared in
new lexer features.
- makedistro functionality for mingw. Has RC support.
- support spaces and backslashes in configured defaults paths.
- register, deregister in service control manager.
25 February 2009: Wouter
- windres usage for application resources.
24 February 2009: Wouter
- isc moved their dlv key download location.
- fixup warning on vista/mingw.
- makedist -w for window zip distribution first version.
20 February 2009: Wouter
- Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
Nicer script layout. Added url to site in -h output.
19 February 2009: Wouter
- unbound-checkconf and unbound print warnings when trust anchors
have unsupported algorithms.
- added contrib/update-itar.sh This script is similar to
update-anchor.sh, and updates from the IANA ITAR repository.
You can provide your own PGP key and trust repo, or can use the
builtin. The program uses wget and gpg to work.
- iana portlist updated.
- update-itar.sh: using ftp:// urls because https godaddy certificate
is not available everywhere and then gives fatal errors. The
security is provided by pgp signature.
18 February 2009: Wouter
- more cycle detection. Also for target queries.
- fixup bug where during deletion of the mesh queries the callbacks
that were reentrant caused assertion failures. Keep the mesh in
a reentrant safe state. Affects libunbound, reload of server,
on quit and flush_requestlist.
- iana portlist updated.
13 February 2009: Wouter
- forwarder information now per-thread duplicated.
This keeps it read only for speed, with no locking necessary.
- forward command for unbound control to change forwarders to use
on the fly.
- document that unbound-host reads no config file by default.
- updated iana portlist.
12 February 2009: Wouter
- call setusercontext if available (on BSD).
- small refactor of stats clearing.
- #227: flush_stats feature for unbound-control.
- stats_noreset feature for unbound-control.
- flush_requestlist feature for unbound-control.
- libunbound version upped API (was changed 5 feb).
- unbound-control status shows if root forwarding is in use.
- slightly nicer memory management in iter-fwd code.
10 February 2009: Wouter
- keys with rfc5011 REVOKE flag are skipped and not considered when
validating data.
- iana portlist updated
- #226: dump_requestlist feature for unbound-control.
6 February 2009: Wouter
- contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
- iana portlist updated.
- fixup EOL in include directive (reported by Paul Wouters).
You can no longer specify newlines in the names of included files.
- config parser changed. Gives some syntax errors closer to where they
occurred. Does not enforce a space after keyword anymore.
Does not allow literal newlines inside quoted strings anymore.
- verbosity level 5 logs customer IP for new requestlist entries.
- test fix, lexer and cancel test.
- new option log-time-ascii: yes if you enable it prints timestamps
in the log file as Feb 06 13:45:26 (like syslog does).
- detect event_base_new in libevent-1.4.1 and later and use it.
- #231 unbound-checkconf -o option prints that value from config file.
Useful for scripting in management scripts and the like.
5 February 2009: Wouter
- ldns 1.5.0 rc as tarball included.
- 1.3.0 development continues:
change in libunbound API: ub_cancel can return an error, that
the async_id did not exist, or that it was already delivered.
The result could have been delivered just before the cancel
routine managed to acquire the lock, so a caller may get the
result at the same time they call cancel. For this case,
ub_cancel tries to return an error code.
Fixes race condition in ub_cancel() libunbound function.
- MacOSX Leopard cleaner text output from configure.
- initgroups(3) is called to drop secondary group permissions, if
applicable.
- configure option --with-ldns-builtin forces the use of the
inluded ldns package with the unbound source. The -I include
is put before the others, so it avoids bad include files from
an older ldns install.
- daemon(3) posix call is used when available.
- testbound test for older fix added.
4 February 2009: Wouter
- tag for release 1.2.1.
- trunk setup for 1.3.0 development.
3 February 2009: Wouter
- noted feature requests in doc/TODO.
- printout more detailed errors on ssl certificate loading failures.
- updated IANA portlist.
16 January 2009: Wouter
- more quiet about ipv6 network failures, i.e. when ipv6 is not
available (network unreachable). Debug still printed on high
verbosity.
- unbound-host -4 and -6 options. Stops annoying ipv6 errors when
debugging with unbound-host -4 -d ...
- more cycle detection for NS-check, addr-check, root-prime and
stub-prime queries in the iterator. Avoids possible deadlock
when priming fails.
15 January 2009: Wouter
- bug #229: fixup configure checks for compilation with Solaris
Sun cc compiler, ./configure CC=/opt/SUNWspro/bin/cc
- fixup suncc warnings.
- fix bug where unbound could crash using libevent 1.3 and older.
- update testset for recent retry change.
14 January 2009: Wouter
- 1.2.1 feature: negative caching for failed queries.
Queries that failed are cached for 5 seconds (NORR_TTL).
If the failure is local, like out of memory, it is not cached.
- the TTL comparison for the cache used different comparisons,
causing many cache responses that used the iterator and validator
state machines unnecessarily.
- retry from 4 to 5 so that EDNS drop retry is part of the first
query resolve attempt, and cached error does not stop EDNS fallback.
- remove debug prints that protect against bad referrals.
- honor QUIET=no on make commandline (or QUIET=yes ).
13 January 2009: Wouter
- fixed bug in lameness marking, removed printouts.
- find NS rrset more cleanly for qtype NS.
- Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
reporting and logs.
- 1.2.1 feature: stops resolving AAAAs promiscuously when they
are in the negative cache.
12 January 2009: Wouter
- fixed bug in infrastructure lameness cache, did not lowercase
name of zone to hash when setting lame.
- lameness debugging printouts.
9 January 2009: Wouter
- created svn tag for 1.2.0 release.
- svn trunk contains 1.2.1 version number.
- iana portlist updated for todays list.
- removed debug print.
8 January 2009: Wouter
- new version of ldns-trunk (today) included as tarball, fixed
bug #224, building with -j race condition.
- remove possible race condition in the test for race conditions.
7 January 2009: Wouter
- version 1.2.0 in preparation.
- feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
statements. (Adapted from patch by Paul Wouters).
- typo fix and iana portlist updated.
- porting testsuite; unused var warning, and type fixup.
6 January 2009: Wouter
- fixup packet-of-death when compiled with --enable-debug.
A malformed packet could cause an internal assertion failure.
- added test for HINFO canonicalisation behaviour.
- fixup reported problem with transparent local-zone data where
queries with different type could get nxdomain. Now queries
with a different name get resolved normally, with different type
get a correct NOERROR/NODATA answer.
- HINFO no longer downcased for validation, making unbound compatible
with bind and ldns.
- fix reading included config files when chrooted.
Give full path names for include files.
Relative path names work if the start dir equals the working dir.
- fix libunbound message transport when no packet buffer is available.
5 January 2009: Wouter
- fixup getaddrinfo failure handling for remote control port.
- added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
- fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
- comm_timer_set performs base_set operation after event_add.
18 December 2008: Wouter
- fixed bug reported by Duane Wessels: error in DLV lookup, would make
some zones that had correct DLV keys as insecure.
- follows -rc makedist from ldns changes (no _rc).
- ldns tarball updated with 1.4.1rc for DLV unit test.
- verbose prints about recursion lame detection and server selection.
- fixup BSD port for infra host storage. It hashed wrongly.
- fixup makedist snapshot name generation.
- do not reopen syslog to avoid dev/log dependency.
17 December 2008: Wouter
- follows ldns makedist.sh. -rc option. autom4te dir removed.
- unbound-control status command.
- extended statistics has a number of ipv6 queries counter.
contrib/unbound_munin_ was updated to draw ipv6 in the hits graph.
16 December 2008: Wouter
- follow makedist improvements from ldns, for maintainers prereleases.
- snapshot version uses _ not - to help rpm distinguish the
version number.
11 December 2008: Wouter
- better fix for bug #219: use LOG_NDELAY with openlog() call.
Thanks to Tamas Tevesz.
9 December 2008: Wouter
- bug #221 fixed: unbound checkconf checks if key files exist if
remote control is enabled. Also fixed NULL printf when not chrooted.
- iana portlist updated.
3 December 2008: Wouter
- Fix problem reported by Jaco Engelbrecht where unbound-control stats
freezes up unbound if this was compiled without threading, and
was using multiple processes.
- iana portlist updated.
- test for remote control with interprocess communication.
- created command distribution mechanism so that remote control
commands other than 'stats' work on all processes in a nonthreaded
compiled version. dump/load cache work, on the first process.
- fixup remote control local_data addition memory corruption bug.
1 December 2008: Wouter
- SElinux policy files in contrib/selinux for the unbound daemon,
by Paul Wouters and Adam Tkac.
25 November 2008: Wouter
- configure complains when --without-ssl is given (bug #220).
- skip unsupported feature tests on vista/mingw.
- fixup testcode/streamtcp to work on vista/mingw.
- root-hints test checks version of dig required.
- blacklisted servers are polled at a low rate (1%) to see if they
come back up. But not if there is some other working server.
24 November 2008: Wouter
- document that the user of the server daemon needs read privileges
on the keys and certificates generated by unbound-control-setup.
This is different per system or distribution, usually, running the
script under the same username as the server uses suffices.
i.e. sudo -u unbound unbound-control-setup
- testset port to vista/mingw.
- tcp_sigpipe to freebsd port.
21 November 2008: Wouter
- fixed tcp accept, errors were printed when they should not.
- unbound-control-setup.sh removes read/write permissions other
from the keys it creates (as suggested by Dmitriy Demidov).
20 November 2008: Wouter
- fixup fatal error due to faulty error checking after tcp accept.
- add check in rlimit to avoid integer underflow.
- rlimit check with new formula; better estimate for number interfaces
- nicer comments in rlimit check.
- tag 1.1.1 created in svn.
- trunk label is 1.1.2
19 November 2008: Wouter
- bug #219: fixed so that syslog which delays opening until the first
log line is written, gets a log line while not chroot'ed yet.
18 November 2008: Wouter
- iana portlist updated.
- removed cast in unit test debug print that was not 64bit safe.
- trunk back to 1.1.0; copied to tags 1.1.0 release.
- trunk to has version number 1.1.1 again.
- in 1.1.1; make clean nicer. grammar in manpage.
17 November 2008: Wouter
- theoretical fix for problems reported on mailing list.
If a delegation point has no A but only AAAA and do-ip6 is no,
resolution would fail. Fixed to ask for the A and AAAA records.
It has to ask for both always, so that it can fail quietly, from
TLD perspective, when a zone is only reachable on one transport.
- test for above, only AAAA and doip6 is no. Fix causes A record
for nameserver to be fetched.
- fixup address duplication on cache fillup for delegation points.
- testset updated for new query answer requirements.
14 November 2008: Wouter
- created 1.1.0 release tag in svn.
- trunk moved to 1.1.1
- fixup unittest-neg for locking.
13 November 2008: Wouter
- added fedora init and specfile to contrib (by Paul Wouters).
- added configure check for ldns 1.4.0 (using its compat funcs).
- neater comments in worker.h.
- removed doc/plan and updated doc/TODO.
- silenced EHOSTDOWN (verbosity 2 or higher to see it).
- review comments from Jelte, Matthijs. Neater code.
12 November 2008: Wouter
- add unbound-control manpage to makedist replace list.
11 November 2008: Wouter
- unit test for negative cache, stress tests the refcounting.
- fix for refcounting error that could cause fptr_wlist fatal exit
in the negative cache rbtree (upcoming 1.1 feature). (Thanks to
Attila Nagy for testing).
- nicer comments in cachedump about failed RR to string conversion.
- fix 32bit wrap around when printing large (4G and more) mem usage
for extended statistics.
10 November 2008: Wouter
- fixup the getaddrinfo compat code rename.
8 November 2008: Wouter
- added configure check for eee build warning.
7 November 2008: Wouter
- fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
- detect nonblocking problems in network stack in configure script.
6 November 2008: Wouter
- dname_priv must decompress the name before comparison.
- iana portlist updated.
5 November 2008: Wouter
- fixed possible memory leak in key_entry_key deletion.
Would leak a couple bytes when trust anchors were replaced.
- if query and reply qname overlap, the bytes are skipped not copied.
- fixed file descriptor leak when messages were jostled out that
had outstanding (TCP) replies.
- DNAMEs used from cache have their synthesized CNAMEs initialized
properly.
- fixed file descriptor leak for localzone type deny (for TCP).
- fixed memleak at exit for nsec3 negative cached zones.
- fixed memleak for the keyword 'nodefault' when reading config.
- made verbosity of 'edns incapable peer' warning higher, so you
do not get spammed by it.
- caught elusive Bad file descriptor error bug, that would print the
error while unnecessarily try to listen to a closed fd. Fixed.
4 November 2008: Wouter
- fixed -Wwrite-strings warnings that result in better code.
3 November 2008: Wouter
- fixup build process for Mac OSX linker, use ldns b32 compat funcs.
- generated configure with autoconf-2.61.
- iana portlist updated.
- detect if libssl needs libdl. For static linking with libssl.
- changed to use new algorithm identifiers for sha256/sha512
from ldns 1.4.0 (need very latest version).
- updated the included ldns tarball.
- proper detection of SHA256 and SHA512 functions (not just sizes).
23 October 2008: Wouter
- a little more debug info for failure on signer names. prints names.
22 October 2008: Wouter
- CFLAGS are picked up by configure from the environment.
- iana portlist updated.
- updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
- new stub-prime: yesno option. Default is off, so it does not prime.
can be turned on to get same behaviour as previous unbound release.
- made automated test that checks if builtin root hints are uptodate.
- finished draft-wijngaards-dnsext-resolver-side-mitigation
implementation. The unwanted-reply-threshold can be set.
- fixup so fptr_whitelist test in alloc.c works.
21 October 2008: Wouter
- fix update-anchors.sh, so it does not report different RR order
as an update. Sorts the keys in the file. Updated copyright.
- fixup testbound on windows, the command control pipe doesn't exist.
- skip 08hostlib test on windows, no fork() available.
- made unbound-remote work on windows.
20 October 2008: Wouter
- quench a log message that is debug only.
- iana portlist updated.
- do not query bogus nameservers. It is like nameservers that have
the NS or A or AAAA record bogus are listed as donotquery.
- if server selection is faced with only bad choices, it will
attempt to get more options to be fetched.
- changed bogus-ttl default value from 900 to 60 seconds.
In anticipation that operator caused failures are more likely than
actual attacks at this time. And thus repeated validation helps
the operators get the problem fixed sooner. It makes validation
failures go away sooner (60 seconds after the zone is fixed).
Also it is likely to try different nameserver targets every minute,
so that if a zone is bad on one server but not another, it is
likely to pick up the 'correct' one after a couple minutes,
and if the TTL is big enough that solves validation for the zone.
- fixup unbound-control compilation on windows.
17 October 2008: Wouter
- port Leopard/G5: fixup type conversion size_t/uint32.
please ranlib, stop file without symbols warning.
- harden referral path now also validates the root after priming.
It looks up the root NS authoritatively as well as the root servers
and attemps to validate the entries.
16 October 2008: Wouter
- Fixup negative TTL values appearing (reported by Attila Nagy).
15 October 2008: Wouter
- better documentation for 0x20; remove fallback TODO, it is done.
- harden-referral-path feature includes A, AAAA queries for glue,
as well as very careful NS caching (only when doing NS query).
A, AAAA use the delegation from the NS-query.
14 October 2008: Wouter
- fwd_three.tpkg test was flaky. If the three requests hit the
wrong threads by chance (or bad OS) then the test would fail.
Made less flaky by increasing number of retries.
- stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
- ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
Which includes the ldns_dname_absolute fix.
- fwd_three test remains flaky now that unbound does not stop
listening when full. Thus, removed timeout problem.
It may be serviced by three threads, or maybe by one.
Mostly only useful for lock-check testing now.
13 October 2008: Wouter
- fixed recursion servers deployed as authoritative detection, so
that as a last resort, a +RD query is sent there to get the
correct answer.
- iana port list update.
- ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
10 October 2008: Wouter
- fixup tests - the negative cache contained the correct NSEC3s for
two tests that are supposed to fail to validate.
9 October 2008: Wouter
- negative cache caps max iterations of NSEC3 done.
- NSEC3 negative cache for qtype DS works.
8 October 2008: Wouter
- NSEC negative cache for DS.
6 October 2008: Wouter
- jostle-timeout option, so you can config for slow links.
- 0x20 fallback code. Tries 3xnumber of nameserver addresses
queries that must all be the same. Sent to random nameservers.
- documented choices for DoS, EDNS, 0x20.
2 October 2008: Wouter
- fixup unlink of pidfile.
- fixup SHA256 algorithm collation code.
- contrib/update-anchor.sh does not overwrite anchors if not needed.
exits 0 when a restart is needed, other values if not.
so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
can restart unbound exactly when needed.
30 September 2008: Wouter
- fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
- tests for sha256 support and downgrade resistance.
- RSASHA256 and RSASHA512 support (using the draft in dnsext),
using the drafted protocol numbers.
- when using stub on localhost (127.0.0.1@10053) unbound works.
Like when running NSD to host a local zone, on the same machine.
The noprime feature. manpages more explanation. Added a test for it.
- shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com"
29 September 2008: Wouter
- EDNS lameness detection, if EDNS packets are dropped this is
detected, eventually.
- multiple query timeout rtt backoff does not backoff too much.
26 September 2008: Wouter
- tests for remote-control.
- small memory leak in exception during remote control fixed.
- fixup for lock checking but not unchecking in remote control.
- iana portlist updated.
23 September 2008: Wouter
- Msg cache is loaded. A cache load enables cache responses.
- unbound-control flush [name], flush_type and flush_zone.
22 September 2008: Wouter
- dump_cache and load_cache statements in unbound-control.
RRsets are dumped and loaded correctly.
Msg cache is dumped.
19 September 2008: Wouter
- locking on the localdata structure.
- add and remove local zone and data with unbound-control.
- ldns trunk snapshot updated, make tests work again.
18 September 2008: Wouter
- fixup error in time calculation.
- munin plugin improvements.
- nicer abbreviations for high query types values (ixfr, axfr, any...)
- documented the statistics output in unbound-control man page.
- extended statistics prints out histogram, over unbound-control.
17 September 2008: Wouter
- locking for threadsafe bogus rrset counter.
- ldns trunk no longer exports b32 functions, provide compat.
- ldns tarball updated.
- testcode/ldns-testpkts.c const fixups.
- fixed rcode stat printout.
- munin plugin in contrib.
- stats always printout uptime, because stats plugins need it.
16 September 2008: Wouter
- extended-statistics: yesno config option.
- unwanted replies spoof nearmiss detector.
- iana portlist updated.
15 September 2008: Wouter
- working start, stop, reload commands for unbound-control.
- test for unbound-control working; better exit value for control.
- verbosity control via unbound-control.
- unbound-control stats.
12 September 2008: Wouter
- removed browser control mentions. Proto speccy.
11 September 2008: Wouter
- set nonblocking on new TCP streams, because linux does not inherit
the socket options to the accepted socket.
- fix TCP timeouts.
- SSL protected connection between server and unbound-control.
10 September 2008: Wouter
- remove memleak in privacy addresses on reloads and quits.
- remote control work.
9 September 2008: Wouter
- smallapp/unbound-control-setup.sh script to set up certificates.
4 September 2008: Wouter
- scrubber scrubs away private addresses.
- test for private addresses. man page entry.
- code refactored for name and address tree lookups.
3 September 2008: Wouter
- options for 'DNS Rebinding' protection: private-address and
private-domain.
- dnstree for reuse of routines that help with domain, addr lookups.
- private-address and private-domain config option read, stored.
2 September 2008: Wouter
- DoS protection features. Queries are jostled out to make room.
- testbound can pass time, increasing the internal timer.
- do not mark unsigned additionals bogus, leave unchecked, which
is removed too.
1 September 2008: Wouter
- disallow nonrecursive queries for cache snooping by default.
You can allow is using access-control: <subnet> allow_snoop.
The defaults do allow access no authoritative data without RD bit.
- two tests for it and fixups of tests for nonrec refused.
29 August 2008: Wouter
- version 1.1 number in trunk.
- harden-referral-path option for query for NS records.
Default turns off expensive, experimental option.
28 August 2008: Wouter
- fixup logfile handling; it is created with correct permissions
again. (from bugfix#199).
Some errors are not written to logfile (pidfile writing, forking),
and these are only visible by using the -d commandline flag.
27 August 2008: Wouter
- daemon(3) is causing problems for people. Reverting the patch.
bug#200, and 199 and 203 contain sideline discussion on it.
- bug#199 fixed: pidfile can be outside chroot. openlog is done before
chroot and drop permissions.
- config option to set size of aggressive negative cache,
neg-cache-size.
- bug#203 fixed: dlv has been implemented.
26 August 2008: Wouter
- test for insecure zone when DLV is in use, also does negative cache.
- test for trustanchor when DLV is in use (the anchor works).
- test for DLV used for a zone below a trustanchor.
- added scrub filter for overreaching NSEC records and unit test.
- iana portlist update
- use of setresuid or setreuid when available.
- use daemon(3) if available.
25 August 2008: Wouter
- realclean patch from Robert Edmonds.
22 August 2008: Wouter
- nicer debuglogging of DLV.
- test with secure delegation inside the DLV repository.
21 August 2008: Wouter
- negative cache code linked into validator, for DLV use.
negative cache works for DLV.
- iana portlist update.
- dlv-anchor option for unit tests.
- fixup NSEC_AT_APEX classification for short typemaps.
- ldns-testns has subdomain checks, for unit tests.
20 August 2008: Wouter
- negative cache code, reviewed.
18 August 2008: Wouter
- changes info: in logfile to notice: info: or debug: depending on
the verbosity of the statements. Better logfile message
classification.
- bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
15 August 2008: Wouter
- DLV nsec code fixed for better detection of closest existing
enclosers from NSEC responses.
- DLV works, straight to the dlv repository, so not for production.
- Iana port update.
14 August 2008: Wouter
- synthesize DLV messages from the rrset cache, like done for DS.
13 August 2008: Wouter
- bug #203: nicer do-auto log message when user sets incompatible
options.
- bug #204: variable name ameliorated in log.c.
- bug #206: in iana_update, no egrep, but awk use.
- ldns snapshot r2699 taken (includes DLV type).
- DLV work, config file element, trust anchor read in.
12 August 2008: Wouter
- finished adjusting testset to provide qtype NS answers.
11 August 2008: Wouter
- Fixup rrset security updates overwriting 2181 trust status.
This makes validated to be insecure data just as worthless as
nonvalidated data, and 2181 rules prevent cache overwrites to them.
- Fix assertion fail on bogus key handling.
- dnssec lameness detection works on first query at trust apex.
- NS queries get proper cache and dnssec lameness treatment.
- fixup compilation without pthreads on linux.
8 August 2008: Wouter
- NS queries are done after every referral.
validator is used on those NS records (if anchors enabled).
7 August 2008: Wouter
- Scrubber more strict. CNAME chains, DNAMEs from cache, other
irrelevant rrsets removed.
- 1.0.2 released from 1.0 support branch.
- fixup update-anchor.sh to work both in BSD shell and bash.
5 August 2008: Wouter
- fixup DS test so apex nodata works again.
4 August 2008: Wouter
- iana port update.
- TODO update.
- fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
- added explanatory text for outgoing-port-permit in manpage.
30 July 2008: Wouter
- fixup bug qtype DS for unsigned zone and signed parent validation.
25 July 2008: Wouter
- added original copyright statement of OpenBSD arc4random code.
- created tube signaling solution on windows, as a pipe replacement.
this makes background asynchronous resolution work on windows.
- removed very insecure socketpair compat code. It also did not
work with event_waiting. Solved by pipe replacement.
- unbound -h prints openssl version number as well.
22 July 2008: Wouter
- moved pipe actions to util/tube.c. easier porting and shared code.
- check _raw() commpoint callbacks with fptr_wlist.
- iana port update.
21 July 2008: Wouter
- #198: nicer entropy warning message. manpage OS hints.
19 July 2008: Wouter
- #198: fixup man page to suggest chroot entropy fix.
18 July 2008: Wouter
- branch for 1.0 support.
- trunk work on tube.c.
17 July 2008: Wouter
- fix bug #196, compile outside source tree.
- fix bug #195, add --with-username=user configure option.
- print error and exit if started with config that requires more
fds than the builtin minievent can handle.
16 July 2008: Wouter
- made svn tag 1.0.1, trunk now 1.0.2
- sha256 checksums enabled in makedist.sh
15 July 2008: Wouter
- Follow draft-ietf-dnsop-default-local-zones-06 added reverse
IPv6 example prefix to AS112 default blocklist.
- fixup lookup of DS records by client with trustanchor for same.
- libunbound ub_resolve, fix handling of error condition during setup.
- lowered log_hex blocksize to fit through BSD syslog linesize.
- no useless initialisation if getpwnam not available.
- iana, ldns snapshot updated.
3 July 2008: Wouter
- Matthijs fixed memory leaks in root hints file reading.
26 June 2008: Wouter
- fixup streamtcp bounds setting for udp mode, in the test framework.
- contrib item for updating trust anchors.
25 June 2008: Wouter
- fixup fwd_ancil test typos.
- Fix for newegg lameness : ok for qtype=A, but lame for others.
- fixup unit test for infra cache, test lame merging.
- porting to mingw, bind, listen, getsockopt and setsockopt error
handling.
24 June 2008: Wouter
- removed testcode/checklocks from production code compilation path.
- streamtcp can use UDP mode (connected UDP socket), for testing IPv6
on windows.
- fwd_ancil test fails if platform support is lacking.
23 June 2008: Wouter
- fixup minitpkg to cleanup on windows with its file locking troubles.
- minitpkg shows skipped tests in report.
- skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
ipv6 connectivity).
- winsock event handler keeps track of sticky TCP events, that have
not been fully handled yet. when interest in the event(s) resumes,
they are sent again. When WOULDBLOCK is returned events are cleared.
- skip tests that need signals when testing on mingw.
18 June 2008: Wouter
- open testbound replay files in binary mode, because fseek/ftell
do not work in ascii-mode on windows. The b does nothing on unix.
unittest and testbound tests work on windows (xp too).
- ioctlsocket prints nicer error message.
- fixed up some TCP porting for winsock.
- lack of IPv6 gives a warning, no fatal error.
- use WSAGetLastError() on windows instead of errno for some errors.
17 June 2008: Wouter
- outgoing num fds 32 by default on windows ; it supports less
fds for waiting on than unixes.
- winsock_event minievent handler for windows. (you could also
attempt to link with libevent/libev ports for windows).
- neater crypto check and gdi32 detection.
- unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
16 June 2008: Wouter
- on windows, use windows threads, mutex and thread-local-storage(Tls).
- detect if openssl needs gdi32.
- if no threading, THREADS_DISABLED is defined for use in the code.
- sets USE_WINSOCK if using ws2_32 on windows.
- wsa_strerror() function for more readable errors.
- WSA Startup and Cleanup called in unbound.exe.
13 June 2008: Wouter
- port mingw32, more signal ifdefs, detect sleep, usleep,
random, srandom (used inside the tests).
- signed or unsigned FD_SET is cast.
10 June 2008: Wouter
- fixup warnings compiling on eeepc xandros linux.
9 June 2008: Wouter
- in iteration response type code
* first check for SOA record (negative answer) before NS record
and lameness.
* check if no AA bit for non-forwarder, and thus lame zone.
In response to error report by Richard Doty for mail.opusnet.com.
- fixup unput warning from lexer on freeBSD.
- bug#183. pidfile, rundir, and chroot configure options. Also the
example.conf and manual pages get the configured defaults.
You can use: (or accept the defaults to /usr/local/etc/unbound/)
--with-conf-file=filename
--with-pidfile=filename
--with-run-dir=path
--with-chroot-dir=path
8 June 2008: Wouter
- if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
Reported by Robert Edmonds.
- iana port updated.
4 June 2008: Wouter
- updated libtool files with newer version.
- iana portlist updated.
3 June 2008: Wouter
- fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
trailing dot is not used during comparison.
2 June 2008: Wouter
- Jelte fixed bugs in my absence
- bug 178: fixed unportable shell usage in configure (relied on
bash shell).
- bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
- bug 181: fixed buffer overflow in ldns (called by unbound to parse
config file parts).
- fixes by Wouter
- bug 177: fixed compilation failure on opensuse, the
--disable-static configure flag caused problems. (Patch from
Klaus Singvogel)
- bug 179: same fix as 177.
- bug 185: --disable-shared not passed along to ldns included with
unbound. Fixed so that configure parameters are passed to the
subdir configure script.
fixed that ./libtool is used always, you can still override
manually with ./configure libtool=mylibtool or set $libtool in
the environment.
- update of the ldns tarball to current ldns svn version (fix 181).
- bug 184: -r option for unbound-host, read resolv.conf for
forwarder. (Note that forwarder must support DNSSEC for validation
to succeed).
23 May 2008: Wouter
- mingw32 porting.
- test for sys/wait.h
- WSAEWOULDBLOCK test after nonblocking TCP connect.
- write_iov_buffer removed: unused and no struct iov on windows.
- signed/unsigned warning fixup mini_event.
- use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
- skip signals that are not defined
- detect pwd.h.
- detect getpwnam, getrlimit, setsid, sbrk, chroot.
- default config has no chroot if chroot() unavailable.
- if no kill() then no pidfile is read or written.
- gmtime_r is replaced by nonthreadsafe alternative if unavail.
used in rrsig time validation errors.
22 May 2008: Wouter
- contrib unbound.spec from Patrick Vande Walle.
- fixup bug#175: call tzset before chroot to have correct timestamps
in system log.
- do not generate lex input and lex unput functions.
- mingw port. replacement functions labelled _unbound.
- fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
19 May 2008: Wouter
- fedora 9, check in6_pktinfo define in configure.
- CREDITS fixup of history.
- ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
16 May 2008: Wouter
- fixup for MacOSX hosts file reading (reported by John Dickinson).
- created 1.0.0 svn tag.
- trunk version 1.0.1.
14 May 2008: Wouter
- accepted patch from Ondrej Sury for library version libtool option.
- configure --disable-rpath fixes up libtool for rpath trouble.
Adapted from debian package patch file.
13 May 2008: Wouter
- Added root ipv6 addresses to builtin root hints.
- TODO modified for post 1.0 plans.
- trunk version set to 1.0.0.
- no unnecessary linking with librt (only when libevent/libev used).
7 May 2008: Wouter
- fixup no-ip4 problem with error callback in outside network.
25 April 2008: Wouter
- DESTDIR is honored by the Makefile for rpms.
- contrib files unbound.spec and unbound.init, builds working RPM
on FC7 Linux, a chrooted caching resolver, and libunbound.
- iana ports update.
24 April 2008: Wouter
- chroot checks improved. working directory relative to chroot.
checks if config file path is inside chroot. Documentation on it.
- nicer example.conf text.
- created 0.11 tag.
23 April 2008: Wouter
- parseunbound.pl contrib update from Kai Storbeck for threads.
- iana ports update
22 April 2008: Wouter
- ignore SIGPIPE.
- unit test for SIGPIPE ignore.
21 April 2008: Wouter
- FEATURES document.
- fixup reread of config file if it was given as a full path
and chroot was used.
16 April 2008: Wouter
- requirements doc, updated clean query returns.
- parseunbound.pl update from Kai Storbeck.
- sunos4 porting changes.
15 April 2008: Wouter
- fixup default rc.d pidfile location to /usr/local/etc.
- iana ports updated.
- copyright updated in ldns-testpkts to keep same as in ldns.
- fixup checkconf chroot tests a bit more, chdir must be inside
chroot dir.
- documented 'gcc: unrecognized -KPIC option' errors on Solaris.
- example.conf values changed to /usr/local/etc/unbound
- DSA test work.
- DSA signatures: unbound is compatible with both encodings found.
It will detect and convert when necessary.
14 April 2008: Wouter
- got update for parseunbound.pl statistics script from Kai Storbeck.
- tpkg tests for udp wait list.
- documented 0x20 status.
- fixup chroot and checkconf, it is much smarter now.
- fixup DSA EVP signature decoding. Solution that Jelte found copied.
- and check first sig byte for the encoding type.
11 April 2008: Wouter
- random port selection out of the configged ports.
- fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
- removed base_port.
- created 256-port ephemeral space for the OS, 59802 available.
- fixup consistency of port_if out array during heavy use.
10 April 2008: Wouter
- --with-libevent works with latest libevent 1.4.99-trunk.
- added log file statistics perl script to contrib.
- automatic iana ports update from makefile. 60058 available.
9 April 2008: Wouter
- configure can detect libev(from its build directory) when passed
--with-libevent=/home/wouter/libev-3.2
libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
- unused commpoints not listed in epoll list.
- statistics-cumulative option so that the values are not reset.
- config creates array of available ports, 61841 available,
it excludes <1024 and iana assigned numbers.
config statements to modify the available port numbers.
8 April 2008: Wouter
- unbound tries to set the ulimit fds when started as server.
if that does not work, it will scale back its requirements.
27 March 2008: Wouter
- documented /dev/random symlink from chrootdir as FAQ entry.
26 March 2008: Wouter
- implemented AD bit signaling. If a query sets AD bit (but not DO)
then the AD bit is set in the reply if the answer validated.
Without including DNSSEC signatures. Useful if you have a trusted
path from the client to the resolver. Follows dnssec-updates draft.
25 March 2008: Wouter
- implemented check that for NXDOMAIN and NOERROR answers a query
section must be present in the reply (by the scrubber). And it must
be equal to the question sent, at least lowercase folded.
Previously this feature happened because the cache code refused
to store such messages. However blocking by the scrubber makes
sure nothing gets into the RRset cache. Also, this looks like a
timeout (instead of an allocation failure) and this retries are
done (which is useful in a spoofing situation).
- RTT banding. Band size 400 msec, this makes band around zero (fast)
include unknown servers. This makes unbound explore unknown servers.
7 March 2008: Wouter
- -C config feature for harvest program.
- harvest handles CNAMEs too.
5 March 2008: Wouter
- patch from Hugo Koji Kobayashi for iterator logs spelling.
4 March 2008: Wouter
- From report by Jinmei Tatuya, rfc2181 trust value for remainder
of a cname trust chain is lower; not full answer_AA.
- test for this fix.
- default config file location is /usr/local/etc/unbound.
Thus prefix is used to determine the location. This is also the
chroot and pidfile default location.
3 March 2008: Wouter
- Create 0.10 svn tag.
- 0.11 version in trunk.
- indentation nicer.
29 February 2008: Wouter
- documentation update.
- fixup port to Solaris of perf test tool.
- updated ldns-tarball with decl-after-statement fixes.
28 February 2008: Wouter
- fixed memory leaks in libunbound (during cancellation and wait).
- libunbound returns the answer packet in full.
- snprintf compat update.
- harvest performs lookup.
- ldns-tarball update with fix for ldns_dname_label.
- installs to sbin by default.
- install all manual pages (unbound-host and libunbound too).
27 February 2008: Wouter
- option to use caps for id randomness.
- config file option use-caps-for-id: yes
- harvest debug tool
26 February 2008: Wouter
- delay utility delays TCP as well. If the server that is forwarded
to has a TCP error, the delay utility closes the connection.
- delay does REUSE_ADDR, and can handle a server that closes its end.
- answers use casing from query.
25 February 2008: Wouter
- delay utility works. Gets decent thoughput too (>20000).
22 February 2008: Wouter
- +2% for recursions, if identical queries (except for destination
and query ID) in the reply list, avoid re-encoding the answer.
- removed TODO items for optimizations that do not show up in
profile reports.
- default is now minievent - not libevent. As its faster and
not needed for regular installs, only for very large port ranges.
- loop check different speedup pkt-dname-reading, 1% faster for
nocache-recursion check.
- less hashing during msg parse, 4% for recursion.
- small speed fix for dname_count_size_labels, +1 or +2% recursion.
- some speed results noted:
optimization resulted in +40% for recursion (cache miss) and
+70 to +80 for cache hits, and +96% for version.bind.
zone nsec3 example, 100 NXDOMAIN queries, NSD 35182.8 Ub 36048.4
www.nlnetlabs.nl from cache: BIND 8987.99 Ub 31218.3
www with DO bit set : BIND 8269.31 Ub 28735.6 qps.
So, unbound can be about equal qps to NSD in cache hits.
And about 3.4x faster than BIND in cache performance.
- delay utility for testing.
21 February 2008: Wouter
- speedup of root-delegation message encoding by 15%.
- minor speedup of compress tree_lookup, maybe 1%.
- speedup of dname_lab_cmp and memlowercmp - the top functions in
profiler output, maybe a couple percent when it matters.
20 February 2008: Wouter
- setup speec_cache for need-ldns-testns in dotests.
- check number of queued replies on incoming queries to avoid overload
on that account.
- fptr whitelist checks are not disabled in optimize mode.
- do-daemonize config file option.
- minievent time share initializes time at start.
- updated testdata for nsec3 new algorithm numbers (6, 7).
- small performance test of packet encoding (root delegation).
19 February 2008: Wouter
- applied patch to unbound-host man page from Jan-Piet Mens.
- fix donotquery-localhost: yes default (it erroneously was switched
to default 'no').
- time is only gotten once and the value is shared across unbound.
- unittest cleans up crypto, so that it has no memory leaks.
- mini_event shares the time value with unbound this results in
+3% speed for cache responses and +9% for recursions.
- ldns tarball update with new NSEC3 sign code numbers.
- perform several reads per UDP operation. This improves performance
in DoS conditions, and costs very little in normal conditions.
improves cache response +50%, and recursions +10%.
- modified asynclook test. because the callback from async is not
in any sort of lock (and thus can use all library functions freely),
this causes a tiny race condition window when the last lock is
released for a callback and a new cancel() for that callback.
The only way to remove this is by putting callbacks into some
lock window. I'd rather have the small possibility of a callback
for a cancelled function then no use of library functions in
callbacks. Could be possible to only outlaw process(), wait(),
cancel() from callbacks, by adding another lock, but I'd rather not.
18 February 2008: Wouter
- patch to unbound-host from Jan-Piet Mens.
- unbound host prints errors if fails to configure context.
- fixup perf to resend faster, so that long waiting requests do
not hold up the queue, they become lost packets or SERVFAILs,
or can be sent a little while later (i.e. processing time may
take long, but throughput has to be high).
- fixup iterator operating in no cache conditions (RD flag unset
after a CNAME).
- streamlined code for RD flag setting.
- profiled code and changed dname compares to be faster.
The speedup is about +3% to +8% (depending on the test).
- minievent tests for eintr and eagain.
15 February 2008: Wouter
- added FreeBSD rc.d script to contrib.
- --prefix option for configure also changes directory: pidfile:
and chroot: defaults in config file.
- added cache speed test, for cache size OK and cache too small.
14 February 2008: Wouter
- start without a config file (will complain, but start with
defaults).
- perf test program works.
13 February 2008: Wouter
- 0.9 released.
- 1.0 development. Printout ldns version on unbound -h.
- start of perf tool.
- bugfix to read empty lines from /etc/hosts.
12 February 2008: Wouter
- fixup problem with configure calling itself if ldns-src tarball
is not present.
11 February 2008: Wouter
- changed library to use ub_ instead of ub_val_ as prefix.
- statistics output text nice.
- etc/hosts handling.
- library function to put logging to a stream.
- set any option interface.
8 February 2008: Wouter
- test program for multiple queries over a TCP channel.
- tpkg test for stream tcp queries.
- unbound replies to multiple TCP queries on a TCP channel.
- fixup misclassification of root referral with NS in answer
when validating a nonrec query.
- tag 0.9
- layout of manpages, spelling fix in header, manpages process by
makedist, list asynclook and tcpstream tests as ldns-testns
required.
7 February 2008: Wouter
- moved up all current level 2 to be level 3. And 3 to 4.
to make room for new debug level 2 for detailed information
for operators.
- verbosity level 2. Describes recursion and validation.
- cleaner configure script and fixes for libevent solaris.
- signedness for log output memory sizes in high verbosity.
6 February 2008: Wouter
- clearer explanation of threading configure options.
- fixup asynclook test for nothreading (it creates only one process
to do the extended test).
- changed name of ub_val_result_free to ub_val_resolve_free.
- removes warning message during library linking, renamed
libunbound/unbound.c -> libunbound.c and worker to libworker.
- fallback without EDNS if result is NOTIMPL as well as on FORMERR.
5 February 2008: Wouter
- statistics-interval: seconds option added.
- test for statistics option
- ignore errors making directories, these can occur in parallel builds
- fixup Makefile strip command and libunbound docs typo.
31 January 2008: Wouter
- bg thread/process reads and writes the pipe nonblocking all the time
so that even if the pipe is buffered or so, the bg thread does not
block, and services both pipes and queries.
30 January 2008: Wouter
- check trailing / on chrootdir in checkconf.
- check if root hints and anchor files are in chrootdir.
- no route to host tcp error is verbosity level 2.
- removed unused send_reply_iov. and its configure check.
- added prints of 'remote address is 1.2.3.4 port 53' to errors
from netevent; the basic socket errors.
28 January 2008: Wouter
- fixup uninit use of buffer by libunbound (query id, flags) for
local_zone answers.
- fixup uninit warning from random.c; also seems to fix sporadic
sigFPE coming out of openssl.
- made openssl entropy warning more silent for library use. Needs
verbosity 1 now.
- fixup forgotten locks for rbtree_searches on ctx->query tree.
- random generator cleanup - RND_STATE_SIZE removed, and instead
a super-rnd can be passed at init to chain init random states.
- test also does lock checks if available.
- protect config access in libworker_setup().
- libevent doesn't like comm_base_exit outside of runloop.
- close fds after removing commpoints only (for epoll, kqueue).
25 January 2008: Wouter
- added tpkg for asynclook and library use.
- allows localhost to be queried when as a library.
- fixup race condition between cancel and answer (in case of
really fast answers that beat the cancel).
- please doxygen, put doxygen comment in one place.
- asynclook -b blocking mode and test.
- refactor asynclook, nicer code.
- fixup race problems from opensll in rand init from library, with
a mutex around the rand init.
- fix pass async_id=NULL to _async resolve().
- rewrote _wait() routine, so that it is threadsafe.
- cancelation is threadsafe.
- asynclook extended test in tpkg.
- fixed two races where forked bg process waits for (somehow shared?)
locks, so does not service the query pipe on the bg side.
Now those locks are only held for fg_threads and for bg_as_a_thread.
24 January 2008: Wouter
- tested the cancel() function.
- asynclook -c (cancel) feature.
- fix fail to allocate context actions.
- make pipe nonblocking at start.
- update plane for retry mode with caution to limit bandwidth.
- fix Makefile for concurrent make of unbound-host.
- renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
- new calls to set forwarding added to header and docs.
23 January 2008: Wouter
- removed debug prints from if-auto, verb-algo enables some.
- libunbound QUIT setup, remove memory leaks, when using threads
will share memory for passing results instead of writing it over
the pipe, only writes ID number over the pipe (towards the handler
thread that does process() ).
22 January 2008: Wouter
- library code for async in libunbound/unbound.c.
- fix link testbound.
- fixup exit bug in mini_event.
- background worker query enter and result functions.
- bg query test application asynclook, it looks up multiple
hostaddresses (A records) at the same time.
21 January 2008: Wouter
- libworker work, netevent raw commpoints, write_msg, serialize.
18 January 2008: Wouter
- touch up of manpage for libunbound.
- support for IP_RECVDSTADDR (for *BSD ip4).
- fix for BSD, do not use ip4to6 mapping, make two sockets, once
ip6 and once ip4, uses socket options.
- goodbye ip4to6 mapping.
- update ldns-testpkts with latest version from ldns-trunk.
- updated makedist for relative ldns pathnames.
- library API with more information inside the result structure.
- work on background resolves.
17 January 2008: Wouter
- fixup configure in case -lldns is installed.
- fixup a couple of doxygen warnings, about enum variables.
- interface-automatic now copies the interface address from the
PKT_INFO structure as well.
- manual page with library API, all on one page 'man libunbound'.
- rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
16 January 2008: Wouter
- incoming queries to the server with TC bit on are replied FORMERR.
- interface-automatic replied the wrong source address on localhost
queries. Seems to be due to ifnum=0 in recvmsg PKTINFO. Trying
to use ifnum=-1 to mean 'no interface, use kernel route'.
15 January 2008: Wouter
- interface-automatic feature. experimental. Nice for anycast.
- tpkg test for ip6 ancillary data.
- removed debug prints.
- porting experience, define for Solaris, test refined for BSD
compatibility. The feature probably will not work on OpenBSD.
- makedist fixup for ldns-src in build-dir.
14 January 2008: Wouter
- in no debug sets NDEBUG to remove asserts.
- configure --enable-debug is needed for dependency generation
for assertions and for compiler warnings.
- ldns.tgz updated with ldns-trunk (where buffer.h is updated).
- fix lint, unit test in optimize mode.
- default access control allows ::ffff:127.0.0.1 v6mapped localhost.
11 January 2008: Wouter
- man page, warning removed.
- added text describing the use of stub zones for private zones.
- checkconf tests for bad hostnames (IP address), and for doubled
interface lines.
- memory sizes can be given with 'k', 'Kb', or M or G appended.
10 January 2008: Wouter
- typo in example.conf.
- made using ldns-src that is included the package more portable
by linking with .lo instead of .o files in the ldns package.
- nicer do-ip6: yes/no documentation.
- nicer linking of libevent .o files.
- man pages render correctly on solaris.
9 January 2008: Wouter
- fixup openssl RAND problem, when the system is not configured to
give entropy, and the rng needs to be seeded.
8 January 2008: Wouter
- print median and quartiles with extensive logging.
4 January 2008: Wouter
- document misconfiguration in private network.
2 January 2008: Wouter
- fixup typo in requirements.
- document that 'refused' is a better choice than 'drop' for
the access control list, as refused will stop retries.
7 December 2007: Wouter
- unbound-host has a -d option to show what happens. This can help
with debugging (why do I get this answer).
- fixup CNAME handling, on nodata, sets and display canonname.
- dot removed from CNAME display.
- respect -v for NXDOMAINs.
- updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
- size_t to int for portability of the header file.
- fixup bogus handling.
- dependencies and lint for unbound-host.
6 December 2007: Wouter
- library resolution works in foreground mode, unbound-host app
receives data.
- unbound-host prints rdata using ldns.
- unbound-host accepts trust anchors, and prints validation
information when you give -v.
5 December 2007: Wouter
- locking in context_new() inside the function.
- setup of libworker.
4 December 2007: Wouter
- minor Makefile fixup.
- moved module-stack code out of daemon/daemon into services/modstack,
preparing for code-reuse.
- move context into own header file.
- context query structure.
- removed unused variable pwd from checkconf.
- removed unused assignment from outside netw.
- check timeval length of string.
- fixup error in val_utils getsigner.
- fixup same (*var) error in netblocktostr.
- fixup memleak on parse error in localzone.
- fixup memleak on packet parse error.
- put ; after union in parser.y.
- small hardening in iter_operate against iq==NULL.
- hardening, if error reply with rcode=0 (noerror) send servfail.
- fixup same (*var) error in find_rrset in msgparse, was harmless.
- check return value of evtimer_add().
- fixup lockorder in lruhash_reclaim(), building up a list of locked
entries one at a time. Instead they are removed and unlocked.
- fptr_wlist for markdelfunc.
- removed is_locked param from lruhash delkeyfunc.
- moved bin_unlock during bin_split purely to please.
3 December 2007: Wouter
- changed checkconf/ to smallapp/ to make room for more support tools.
(such as unbound-host).
- install dirs created with -m 755 because they need to be accessible.
- library extensive featurelist added to TODO.
- please doxygen, lint.
- library test application, with basic functionality.
- fix for building in a subdirectory.
- link lib fix for Leopard.
30 November 2007: Wouter
- makefile that creates libunbound.la, basic file or libunbound.a
when creating static executables (no libtool).
- more API setup.
29 November 2007: Wouter
- 0.9 public API start.
28 November 2007: Wouter
- Changeup plan for 0.8 - no complication needed, a simple solution
has been chosen for authoritative features.
- you can use single quotes in the config file, so it is possible
to specify TXT records in local data.
- fixup small memory problem in implicit transparent zone creation.
- test for implicit zone creation and multiple RR RRsets local data.
- local-zone nodefault test.
- show testbound testlist on commit.
- iterator normalizer changes CNAME chains ending in NXDOMAIN where
the packet got rcode NXDOMAIN into rcode NOERROR. (since the initial
domain exists).
- nicer verbosity: 0 and 1 levels.
- lower nonRDquery chance of eliciting wrongly typed validation
requiring message from the cache.
- fix for nonRDquery validation typing; nodata is detected when
SOA record in auth section (all validation-requiring nodata messages
have a SOA record in authority, so this is OK for the validator),
and NS record is needed to be a referral.
- duplicate checking when adding NSECs for a CNAME, and test.
- created svn tag 0.8, after completing testbed tests.
27 November 2007: Wouter
- per suggestion in rfc2308, replaced default max-ttl value with 1 day.
- set size of msgparse lookup table to 32, from 1024, so that its size
is below the 2048 regional large size threshold, and does not cause
a call to malloc when a message is parsed.
- update of memstats tool to print number of allocation calls.
This is what is taking time (not space) and indicates the avg size
of the allocations as well. region_alloc stat is removed.
22 November 2007: Wouter
- noted EDNS in-the-middle dropping trouble as a TODO.
At this point theoretical, no user trouble has been reported.
- added all default AS112 zones.
- answers from local zone content.
* positive answer, the rrset in question
* nodata answer (exist, but not that type).
* nxdomain answer (domain does not exist).
* empty-nonterminal answer.
* But not: wildcard, nsec, referral, rrsig, cname/dname,
or additional section processing, NS put in auth.
- test for correct working of static and transparent and couple
of important defaults (localhost, as112, reverses).
Also checks deny and refuse settings.
- fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
21 November 2007: Wouter
- local zone internal data setup.
20 November 2007: Wouter
- 0.8 - str2list config support for double string config options.
- local-zone and local-data options, config storage and documentation.
19 November 2007: Wouter
- do not downcase NSEC and RRSIG for verification. Follows
draft-ietf-dnsext-dnssec-bis-updates-06.txt.
- fixup leaking unbound daemons at end of tests.
- README file updated.
- nice libevent not found error.
- README talks about gnu make.
- 0.8: unit test for addr_mask and fixups for it.
and unit test for addr_in_common().
- 0.8: access-control config file element.
and unit test rpl replay file.
- 0.8: fixup address reporting from netevent.
16 November 2007: Wouter
- privilege separation is not needed in unbound at this time.
TODO item marked as such.
- created beta-0.7 branch for support.
- tagged 0.7 for beta release.
- moved trunk to 0.8 for 0.8(auth features) development.
- 0.8: access control list setup.
15 November 2007: Wouter
- review fixups from Jelte.
14 November 2007: Wouter
- testbed script does not recreate configure, since its in svn now.
- fixup checkconf test so that it does not test
/etc/unbound/unbound.conf.
- tag 0.6.
13 November 2007: Wouter
- remove debug print.
- fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
12 November 2007: Wouter
- fixup signal handling where SIGTERM could be ignored if a SIGHUP
arrives later on.
- bugreports to unbound-bugs@nlnetlabs.nl
- fixup testbound so it exits cleanly.
- cleanup the caches on a reload, so that rrsetID numbers won't clash.
9 November 2007: Wouter
- took ldns snapshot in repo.
- default config file is /etc/unbound/unbound.conf.
If it doesn't exist, it is installed with the doc/example.conf file.
The file is not deleted on uninstall.
- default listening is not all, but localhost interfaces.
8 November 2007: Wouter
- Fixup chroot and drop user privileges.
- new L root ip address in default hints.
1 November 2007: Wouter
- Fixup of crash on reload, due to anchors in env not NULLed after
dealloc during deinit.
- Fixup of chroot call. Happens after privileges are dropped, so
that checking the passwd entry still works.
- minor touch up of clear() hashtable function.
- VERB_DETAIL prints out what chdir, username, chroot is being done.
- when id numbers run out, caches are cleared, as in design notes.
Tested with a mock setup with very few bits in id, it worked.
- harden-dnssec-stripped: yes is now default. It insists on dnssec
data for trust anchors. Included tests for the feature.
31 October 2007: Wouter
- cache-max-ttl config option.
- building outside sourcedir works again.
- defaults more secure:
username: "unbound"
chroot: "/etc/unbound"
The operator can override them to be less secure ("") if necessary.
- fix horrible oversight in sorting rrset references in a message,
sort per reference key pointer, not on referencepointer itself.
- pidfile: "/etc/unbound/unbound.pid" is now the default.
- tests changed to reflect the updated default.
- created hashtable clear() function that respects locks.
30 October 2007: Wouter
- fixup assertion failure that relied on compressed names to be
smaller than uncompressed names. A packet from comrite.com was seen
to be compressed to a larger size. Added it as unit test.
- quieter logging at low verbosity level for common tcp messages.
- no greedy TTL update.
23 October 2007: Wouter
- fixup (grand-)parent problem for dnssec-lameness detection.
- fixup tests to do additional section processing for lame replies,
since the detection needs that.
- no longer trust in query section in reply during dnssec lame detect.
- dnssec lameness does not make the server never ever queried, but
non-preferred. If no other servers exist or answer, the dnssec lame
server is used; the fastest dnssec lame server is chosen.
- added test then when trust anchor cannot be primed (nodata), the
insecure mode from unbound works.
- Fixup max queries per thread, any more are dropped.
22 October 2007: Wouter
- added donotquerylocalhost config option. Can be turned off for
out test cases.
- ISO C compat changes.
- detect RA-no-AA lameness, as LAME.
- DNSSEC-lameness detection, as LAME.
See notes in requirements.txt for choices made.
- tests for lameness detection.
- added all to make test target; need unbound for fwd tests.
- testbound does not pollute /etc/unbound.
19 October 2007: Wouter
- added configure (and its files) to svn, so that the trunk is easier
to use. ./configure, config.guess, config.sub, ltmain.sh,
and config.h.in.
- added yacc/lex generated files, util/configlexer.c,
util/configparser.c util/configparser.h, to svn.
- without lex no attempt to use it.
- unsecure response validation collated into one block.
- remove warning about const cast of cfgfile name.
- outgoing-interfaces can be different from service interfaces.
- ldns-src configure is done during unbound configure and
ldns-src make is done during unbound make, and so inherits the
make arguments from the unbound make invocation.
- nicer error when libevent problem causes instant exit on signal.
- read root hints from a root hint file (like BIND does).
18 October 2007: Wouter
- addresses are logged with errors.
- fixup testcode fake event to remove pending before callback
since the callback may create new pending items.
- tests updated because retries are now in iterator module.
- ldns-testpkts code is checked for differences between unbound
and ldns by makedist.sh.
- ldns trunk from today added in svn repo for fallback in case
no ldns is installed on the system.
make download_ldns refreshes the tarball with ldns svn trunk.
- ldns-src.tar.gz is used if no ldns is found on the system, and
statically linked into unbound.
- start of regional allocator code.
- regional uses less memory and variables, simplified code.
- remove of region-allocator.
- alloc cache keeps a cache of recently released regional blocks,
up to a maximum.
- make unit test cleanly free memory.
17 October 2007: Wouter
- fixup another cycle detect and ns-addr timeout resolution bug.
This time by refusing delegations from the cache without addresses
when resolving a mandatory-glue nameserver-address for that zone.
We're going to have to ask a TLD server anyway; might as well be
the TLD server for this name. And this resolves a lot of cases where
the other nameserver names lead to cycles or are not available.
- changed random generator from random(3) clone to arc4random wrapped
for thread safety. The random generator is initialised with
entropy from the system.
- fix crash where failure to prime DNSKEY tried to print null pointer
in the log message.
- removed some debug prints, only verb_algo (4) enables them.
- fixup test; new random generator took new paths; such as one
where no scripted answer was available.
- mark insecure RRs as insecure.
- fixup removal of nonsecure items from the additional.
- reduced timeout values to more realistic, 376 msec (262 msec has
90% of roundtrip times, 512 msec has 99% of roundtrip times.)
- server selection failover to next server after timeout (376 msec).
16 October 2007: Wouter
- no malloc in log_hex.
- assertions around system calls.
- protect against gethostname without ending zero.
- ntop output is null terminated by unbound.
- pidfile content null termination
- various snprintf use sizeof(stringbuf) instead of fixed constant.
- changed loopdetect % 8 with & 0x7 since % can become negative for
weird negative input and particular interpretation of integer math.
- dname_pkt_copy checks length of result, to protect result buffers.
prints an error, this should not happen. Bad strings should have
been rejected earlier in the program.
- remove a size_t underflow from msgreply size func.
15 October 2007: Wouter
- nicer warning.
- fix IP6 TCP, wrong definition check. With test package.
- fixup the fact that the query section was not compressed to,
the code was there but was called by value instead of by reference.
And test for the case, uses xxd and nc.
- more portable ip6 check for sockaddr types.
8 October 2007: Wouter
- --disable-rpath option in configure for 64bit systems with
several dynamic lib dirs.
7 October 2007: Wouter
- fixup tests for no AD bit in non-DO queries.
- test that makes sure AD bit is not set on non-DO query.
6 October 2007: Wouter
- removed logfile open early. It did not have the proper permissions;
it was opened as root instead of the user. And we cannot change user
id yet, since chroot and bind ports need to be done.
- callback checks for event callbacks done from mini_event. Because
of deletions cannot do this from netevent. This means when using
libevent the protection does not work on event-callbacks.
- fixup too small reply (did not zero counts).
- fixup reply no longer AD bit when query without DO bit.
5 October 2007: Wouter
- function pointer whitelist.
4 October 2007: Wouter
- overwrite sensitive random seed value after use.
- switch to logfile very soon if not -d (console attached).
- error messages do not reveal the trustanchor contents.
- start work on function pointer whitelists.
3 October 2007: Wouter
- fix for multiple empty nonterminals, after multiple DSes in the
chain of trust.
- mesh checks if modules are looping, and stops them.
- refetch with CNAMEd nameserver address regression test added.
- fixup line count bug in testcode, so testbound prints correct line
number with parse errors.
- unit test for multiple ENT case.
- fix for cname out of validated unsec zone.
- fixup nasty id=0 reuse. Also added assertions to detect its
return (the assertion catches in the existing test cases).
1 October 2007: Wouter
- skip F77, CXX, objC tests in configure step.
- fixup crash in refetch glue after a CNAME.
and protection against similar failures (with error print).
28 September 2007: Wouter
- test case for unbound-checkconf, fixed so it also checks the
interface: statements.
26 September 2007: Wouter
- SIGHUP will reopen the log file.
- Option to log to syslog.
- please lint, fixup tests (that went to syslog on open, oops).
- config check program.
25 September 2007: Wouter
- tests for NSEC3. Fixup bitmap checks for NSEC3.
- positive ANY response needs to check if wildcard expansion, and
check that original data did not exist.
- tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
delegation, for abuse of child zone apex nsec3.
- create 0.5 release tag.
24 September 2007: Wouter
- do not make test programs by default.
- But 'make test' will perform all of the tests.
- Advertise builtin select libevent alternative when no libevent
is found.
- signit can generate NSEC3 hashes, for generating tests.
- multiple nsec3 parameters in message test.
- too high nsec3 iterations becomes insecure test.
21 September 2007: Wouter
- fixup empty_DS_name allocated in wrong region (port DEC Alpha).
- fixup testcode lock safety (port FreeBSD).
- removes subscript has type char warnings (port Solaris 9).
- fixup of field with format type to int (port MacOS/X intel).
- added test for infinite loop case in nonRD answer validation.
It was a more general problem, but hard to reproduce. When an
unsigned rrset is being validated and the key fetched, the DS
sequence is followed, but if the final name has no DS, then no
proof is possible - the signature has been stripped off.
20 September 2007: Wouter
- fixup and test for NSEC wildcard with empty nonterminals.
- makedist.sh fixup for svn info.
- acl features request in plan.
- improved DS empty nonterminal handling.
- compat with ANS nxdomain for empty nonterminals. Attempts the nodata
proof anyway, which succeeds in ANS failure case.
- striplab protection in case it becomes -1.
- plans for static and blacklist config.
19 September 2007: Wouter
- comments about non-packed usage.
- plan for overload support in 0.6.
- added testbound tests for a failed resolution from the logs
and for failed prime when missing glue.
- fixup so useless delegation points are not returned from the
cache. Also the safety belt is used if priming fails to complete.
- fixup NSEC rdata not to be lowercased, bind compat.
18 September 2007: Wouter
- wildcard nsec3 testcases, and fixup to get correct wildcard name.
- validator prints subtype classification for debug.
17 September 2007: Wouter
- NSEC3 hash cache unit test.
- validator nsec3 nameerror test.
14 September 2007: Wouter
- nsec3 nodata proof, nods proof, wildcard proof.
- nsec3 support for cname chain ending in noerror or nodata.
- validator calls nsec3 proof routines if no NSECs prove anything.
- fixup iterator bug where it stored the answer to a cname under
the wrong qname into the cache. When prepending the cnames, the
qname has to be reset to the original qname.
13 September 2007: Wouter
- nsec3 find matching and covering, ce proof, prove namerror msg.
12 September 2007: Wouter
- fixup of manual page warnings, like for NSD bugreport.
- nsec3 work, config, max iterations, filter, and hash cache.
6 September 2007: Wouter
- fixup to find libevent on mac port install.
- fixup size_t vs unsigned portability in validator/sigcrypt.
- please compiler on different platforms, for unreachable code.
- val_nsec3 file.
- pthread_rwlock type is optional, in case of old pthread libs.
5 September 2007: Wouter
- cname, name error validator tests.
- logging of qtype ANY works.
- ANY type answers get RRSIG in answer section of replies (but not
in other sections, unless DO bit is on).
- testbound can replay a TCP query (set MATCH TCP in the QUERY).
- DS and noDS referral validation test.
- if you configure many trust anchors, parent trust anchors can
securely deny existence of child trust anchors, if validated.
- not all *.name NSECs are present because a wildcard was matched,
and *.name NSECs can prove nodata for empty nonterminals.
Also, for wildcard name NSECs, check they are not from the parent
zone (for wildcarded zone cuts), and check absence of CNAME bit,
for a nodata proof.
- configure option for memory allocation debugging.
- port configure option for memory allocation to solaris10.
4 September 2007: Wouter
- fixup of Leakage warning when serviced queries processed multiple
callbacks for the same query from the same server.
- testbound removes config file from /tmp on failed exit.
- fixup for referral cleanup of the additional section.
- tests for cname, referral validation.
- neater testbound tpkg output.
- DNAMEs no longer match their apex when synthesized from the cache.
- find correct signer name for DNAME responses.
- wildcarded DNAME test and fixup code to detect.
- prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
So that wildcarded CNAMEs get their NSEC with them to the answer.
- test for a CNAME to a DNAME to a CNAME to an answer, all from
different domains, for key fetching and signature checking of
CNAME'd messages.
3 September 2007: Wouter
- Fixed error in iterator that would cause assertion failure in
validator. CNAME to a NXDOMAIN response was collated into a response
with both a CNAME and the NXDOMAIN rcode. Added a test that the
rcode is changed to NOERROR (because of the CNAME).
- timeout on tcp does not lead to spurious leakage detect.
- account memory for name of lame zones, so that memory leakages does
not show lame cache growth as a leakage growth.
- config setting for lameness cache expressed in bytes, instead of
number of entries.
- tool too summarize allocations per code line.
31 August 2007: Wouter
- can read bind trusted-keys { ... }; files, in a compatibility mode.
- iterator should not detach target queries that it still could need.
the protection against multiple outstanding queries is moved to a
current_query num check.
- validator nodata, positive, referral tests.
- dname print can print '*' wildcard.
30 August 2007: Wouter
- fixup override date config option.
- config options to control memory usage.
- caught bad free of un-alloced data in worker_send error case.
- memory accounting for key cache (trust anchors and temporary cache).
- memory accounting fixup for outside network tcp pending waits.
- memory accounting fixup for outside network tcp callbacks.
- memory accounting for iterator fixed storage.
- key cache size and slabs config options.
- lib crypto cleanups at exit.
29 August 2007: Wouter
- test tool to sign rrsets for testing validator with.
- added RSA and DSA test keys, public and private pairs, 512 bits.
- default configuration is with validation enabled.
Only a trust-anchor needs to be configured for DNSSEC to work.
- do not convert to DER for DSA signature verification.
- validator replay test file, for a DS to DNSKEY DSA key prime and
positive response.
28 August 2007: Wouter
- removed double use for udp buffers, that could fail,
instead performs a malloc to do the backup.
- validator validates referral messages, by validating all the rrsets
and stores the rrsets in the cache. Further referral (nonRD queries)
replies are made from the rrset cache directly. Unless unchecked
rrsets are encountered, there are then validated.
- enforce that signing is done by a parent domain (or same domain).
- adjust TTL downwards if rrset TTL bigger than signature allows.
- permissive mode feature, sets AD bit for secure, but bogus does
not give servfail (bogus is changed into indeterminate).
- optimization of rrset verification. rr canonical sorting is reused,
for the same rrset. canonical rrset image in buffer is reused for
the same signature.
- if the rrset is too big (64k exactly + large owner name) the
canonicalization routine will fail if it does not fit in buffer.
- faster verification for large sigsets.
- verb_detail mode reports validation failures, but not the entire
algorithm for validation. Key prime failures are reported as
verb_ops level.
27 August 2007: Wouter
- do not garble the edns if a cache answer fails.
- answer norecursive from cache if possible.
- honor clean_additional setting when returning secure non-recursive
referrals.
- do not store referral in msg cache for nonRD queries.
- store verification status in the rrset cache to speed up future
verification.
- mark rrsets indeterminate and insecure if they are found to be so.
and store this in the cache.
24 August 2007: Wouter
- message is bogus if unsecure authority rrsets are present.
- val-clean-additional option, so you can turn it off.
- move rrset verification out of the specific proof types into one
routine. This makes the proof routines prettier.
- fixup cname handling in validator, cname-to-positive and cname-to-
nodata work.
- Do not synthesize DNSKEY and DS responses from the rrset cache if
the rrset is from the additional section. Signatures may have
fallen off the packet, and cause validation failure.
- more verbose signature date errors (with the date attached).
- increased default infrastructure cache size. It is important for
performance, and 1000 entries are only 212k (or a 400 k total cache
size). To 10000 entries (for 2M entries, 4M cache size).
23 August 2007: Wouter
- CNAME handling - move needs_validation to before val_new().
val_new() setups the chase-reply to be an edited copy of the msg.
new classification, and find signer can find for it.
removal of unsigned crap from additional, and query restart for
cname.
- refuse to follow wildcarded DNAMEs when validating.
But you can query for qtype ANY, or qtype DNAME and validate that.
22 August 2007: Wouter
- bogus TTL.
- review - use val_error().
21 August 2007: Wouter
- ANY response validation.
- store security status in cache.
- check cache security status and either send the query to be
validated, return the query to client, or send servfail to client.
Sets AD bit on validated replies.
- do not examine security status on an error reply in mesh_done.
- construct DS, DNSKEY messages from rrset cache.
- manual page entry for override-date.
20 August 2007: Wouter
- validate and positive validation, positive wildcard NSEC validation.
- nodata validation, nxdomain validation.
18 August 2007: Wouter
- process DNSKEY response in FINDKEY state.
17 August 2007: Wouter
- work on DS2KE routine.
- val_nsec.c for validator NSEC proofs.
- unit test for NSEC bitmap reading.
- dname iswild and canonical_compare with unit tests.
16 August 2007: Wouter
- DS sig unit test.
- latest release libevent 1.3c and 1.3d have threading fixed.
- key entry fixup data pointer and ttl absolute.
- This makes a key-prime succeed in validator, with DS or DNSKEY as
trust-anchor.
- fixup canonical compare byfield routine, fix bug and also neater.
- fixed iterator response type classification for queries of type
ANY and NS.
dig ANY gives sometimes NS rrset in AN and NS section, and parser
removes the NS section duplicate. dig NS gives sometimes the NS
in the answer section, as referral.
- validator FINDKEY state.
15 August 2007: Wouter
- crypto calls to verify signatures.
- unit test for rrsig verification.
14 August 2007: Wouter
- default outgoing ports changed to avoid port 2049 by default.
This port is widely blocked by firewalls.
- count infra lameness cache in memory size.
- accounting of memory improved
- outbound entries are allocated in the query region they are for.
- extensive debugging for memory allocations.
- --enable-lock-checks can be used to enable lock checking.
- protect undefs in config.h from autoheaders ministrations.
- print all received udp packets. log hex will print on multiple
lines if needed.
- fixed error in parser with backwards rrsig references.
- mark cycle targets for iterator did not have CD flag so failed
its task.
13 August 2007: Wouter
- fixup makefile, if lexer is missing give nice error and do not
mess up the dependencies.
- canonical compare routine updated.
- canonical hinfo compare.
- printout list of the queries that the mesh is working on.
10 August 2007: Wouter
- malloc and free overrides that track total allocation and frees.
for memory debugging.
- work on canonical sort.
9 August 2007: Wouter
- canonicalization, signature checks
- dname signature label count and unit test.
- added debug heap size print to memory printout.
- typo fixup in worker.c
- -R needed on solaris.
- validator override option for date check testing.
8 August 2007: Wouter
- ldns _raw routines created (in ldns trunk).
- sigcrypt DS digest routines
- val_utils uses sigcrypt to perform signature cryptography.
- sigcrypt keyset processing
7 August 2007: Wouter
- security status type.
- security status is copied when rdata is equal for rrsets.
- rrset id is updated to invalidate all the message cache entries
that refer to NSEC, NSEC3, DNAME rrsets that have changed.
- val_util work
- val_sigcrypt file for validator signature checks.
6 August 2007: Wouter
- key cache for validator.
- moved isroot and dellabel to own dname routines, with unit test.
3 August 2007: Wouter
- replanning.
- scrubber check section of lame NS set.
- trust anchors can be in config file or read from zone file,
DS and DNSKEY entries.
- unit test trust anchor storage.
- trust anchors converted to packed rrsets.
- key entry definition.
2 August 2007: Wouter
- configure change for latest libevent trunk version (needs -lrt).
- query_done and walk_supers are moved out of module interface.
- fixup delegation point duplicates.
- fixup iterator scrubber; lame NS set is let through the scrubber
so that the classification is lame.
- validator module exists, and does nothing but pass through,
with calling of next module and return.
- validator work.
1 August 2007: Wouter
- set version to 0.5
- module work for module to module interconnections.
- config of modules.
- detect cycle takes flags.
31 July 2007: Wouter
- updated plan
- release 0.4 tag.
30 July 2007: Wouter
- changed random state init, so that sequential process IDs are not
cancelled out by sequential thread-ids in the random number seed.
- the fwd_three test, which sends three queries to unbound, and
unbound is kept waiting by ldns-testns for 3 seconds, failed
because the retry timeout for default by unbound is 3 seconds too,
it would hit that timeout and fail the test. Changed so that unbound
is kept waiting for 2 seconds instead.
27 July 2007: Wouter
- removed useless -C debug option. It did not work.
- text edit of documentation.
- added doc/CREDITS file, referred to by the manpages.
- updated planning.
26 July 2007: Wouter
- cycle detection, for query state dependencies. Will attempt to
circumvent the cycle, but if no other targets available fails.
- unit test for AXFR, IXFR response.
- test for cycle detection.
25 July 2007: Wouter
- testbound read ADDRESS and check it.
- test for version.bind and friends.
- test for iterator chaining through several referrals.
- test and fixup for refetch for glue. Refetch fails if glue
is still not provided.
24 July 2007: Wouter
- Example section in config manual.
- Addr stored for range and moment in replay.
20 July 2007: Wouter
- Check CNAME chain before returning cache entry with CNAMEs.
- Option harden-glue, default is on. It will discard out of zone
data. If disabled, performance is faster, but spoofing attempts
become a possibility. Note that still normalize scrubbing is done,
and that the potentially spoofed data is used for infrastructure
and not returned to the client.
- if glue times out, refetch by asking parent of delegation again.
Much like asking for DS at the parent side.
- TODO items from forgery-resilience draft.
and on memory handling improvements.
- renamed module_event_timeout to module_event_noreply.
- memory reporting code; reports on memory usage after handling
a network packet (not on cache replies).
19 July 2007: Wouter
- shuffle NS selection when getting nameserver target addresses.
- fixup of deadlock warnings, yield cpu in checklock code so that
freebsd scheduler selects correct process to run.
- added identity and version config options and replies.
- store cname messages complete answers.
18 July 2007: Wouter
- do not query addresses, 127.0.0.1, and ::1 by default.
17 July 2007: Wouter
- forward zone options in config file.
- forward per zone in iterator. takes precedence over stubs.
- fixup commithooks.
- removed forward-to and forward-to-port features, subsumed by
new forward zones.
- fix parser to handle absent server: clause.
- change untrusted rrset test to account for scrubber that is now
applied during the test (which removes the poison, by the way).
- feature, addresses can be specified with @portnumber, like nsd.conf.
- test config files changed over to new forwarder syntax.
27 June 2007: Wouter
- delete of mesh does a postorder traverse of the tree.
- found and fixed a memory leak. For TTL=0 messages, that would
not be cached, instead the msg-replyinfo structure was leaked.
- changed server selection so it will filter out hosts that are
unresponsive. This is defined as a host with the maximum rto value.
This means that unbound tried the host for retries up to 120 secs.
The rto value will time out after host-ttl seconds from the cache.
This keeps such unresolvable queries from taking up resources.
- utility for keeping histogram.
26 June 2007: Wouter
- mesh is called by worker, and iterator uses it.
This removes the hierarchical code.
QueryTargets state and Finished state are merged for iterator.
- forwarder mode no longer sets AA bit on first reply.
- rcode in walk_supers is not needed.
25 June 2007: Wouter
- more mesh work.
- error encode routine for ease.
22 June 2007: Wouter
- removed unused _node iterator value from rbtree_t. Takes up space.
- iterator can handle querytargets state without a delegation point
set, so that a priming(stub) subquery error can be handled.
- iterator stores if it is priming or not.
- log_query_info() neater logging.
- changed iterator so that it does not alter module_qstate.qinfo
but keeps a chase query info. Also query_flags are not altered,
the iterator uses chase_flags.
- fixup crash in case no ports for the family exist.
21 June 2007: Wouter
- Fixup secondary buffer in case of error callback.
- cleanup slumber list of runnable states.
- module_subreq_depth fails to work in slumber list.
- fixup query release for cached results to sub targets.
- neater error for tcp connection failure, shows addr in verbose.
- rbtree_init so that it can be used with preallocated memory.
20 June 2007: Wouter
- new -C option to enable coredumps after forking away.
- doc update.
- fixup CNAME generation by scrubber, and memory allocation of it.
- fixup deletion of serviced queries when all callbacks delete too.
- set num target queries to 0 when you move them to slumber list.
- typo in check caused subquery errors to be ignored, fixed.
- make lint happy about rlim_t.
- freeup of modules after freeup of module-states.
- duplicate replies work, this uses secondary udp buffer in outnet.
19 June 2007: Wouter
- nicer layout in stats.c, review 0.3 change.
- spelling improvement, review 0.3 change.
- uncapped timeout for server selection, so that very fast or slow
servers will stand out from the rest.
- target-fetch-policy: "3 2 1 0 0" config setting.
- fixup queries answered without RD bit (for root prime results).
- refuse AXFR and IXFR requests.
- fixup RD flag in error reply from iterator. fixup RA flag from
worker error reply.
- fixup encoding of very short edns buffer sizes, now sets TC bit.
- config options harden-short-bufsize and harden-large-queries.
18 June 2007: Wouter
- same, move subqueries to slumber list when first has resolved.
- fixup last fix for duplicate callbacks.
- another offbyone in targetcounter. Also in Java prototype by the way.
15 June 2007: Wouter
- if a query asks to be notified of the same serviced query result
multiple times, this will succeed. Only one callback will happen;
multiple outbound-list entries result (but the double cleanup of it
will not matter).
- when iterator moves on due to CNAME or referral, it will remove
the subqueries (for other targets). These are put on the slumber
list.
- state module wait subq is OK with no new subqs, an old one may have
stopped, with an error, and it is still waiting for other ones.
- if a query loops, halt entire query (easy way to clean up properly).
14 June 2007: Wouter
- num query targets was > 0 , not >= 0 compared, so that fetch
policy of 0 did nothing.
13 June 2007: Wouter
- debug option: configure --enable-static-exe for compile where
ldns and libevent are linked statically. Default is off.
- make install and make uninstall. Works with static-exe and without.
installation of unbound binary and manual pages.
- alignment problem fix on solaris 64.
- fixup address in case of TCP error.
12 June 2007: Wouter
- num target queries was set to 0 at a bad time. Default it to 0 and
increase as target queries are done.
- synthesize CNAME and DNAME responses from the cache.
- Updated doxygen config for doxygen 1.5.
- aclocal newer version.
- doxygen 1.5 fixes for comments (for the strict check on docs).
11 June 2007: Wouter
- replies on TCP queries have the address field set in replyinfo,
for serviced queries, because the initiator does not know that
a TCP fallback has occured.
- omit DNSSEC types from nonDO replies, except if qtype is ANY or
if qtype directly queries for the type (and then only show that
'unknown type' in the answer section).
- fixed message parsing where rrsigs on their own would be put
in the signature list over the rrsig type.
7 June 2007: Wouter
- fixup error in double linked list insertion for subqueries and
for outbound list of serviced queries for iterator module.
- nicer printout of outgoing port selection.
- fixup cname target readout.
- nicer debug output.
- fixup rrset counts when prepending CNAMEs to the answer.
- fixup rrset TTL for prepended CNAMEs.
- process better check for looping modules, and which submodule to
run next.
- subreq insertion code fixup for slumber list.
- VERB_DETAIL, verbosity: 2 level gives short but readable output.
VERB_ALGO, verbosity: 3 gives extensive output.
- fixup RA bit in cached replies.
- fixup CNAME responses from the cache no longer partial response.
- error in network send handled without leakage.
- enable ip6 from config, and try ip6 addresses if available,
if ip6 is not connected, skips to next server.
5 June 2007: Wouter
- iterator state finished.
- subrequests without parent store in cache and stop.
- worker slumber list for ongoing promiscuous queries.
- subrequest error handling.
- priming failure returns SERVFAIL.
- priming gives LAME result, returns SERVFAIL.
- debug routine to print dns_msg as handled by iterator.
- memleak in config file stubs fixup.
- more small bugs, in scrubber, query compare no ID for lookup,
in dname validation for NS targets.
- sets entry.key for new special allocs.
- lognametypeclass can display unknown types and classes.
4 June 2007: Wouter
- random selection of equally preferred nameserver targets.
- reply info copy routine. Reuses existing code.
- cache lameness in response handling.
- do not touch qstate after worker_process_query because it may have
been deleted by that routine.
- Prime response state.
- Process target response state.
- some memcmp changed to dname_compare for case preservation.
1 June 2007: Wouter
- normalize incoming messages. Like unbound-java, with CNAME chain
checked, DNAME checked, CNAME's synthesized, glue checked.
- sanitize incoming messages.
- split msgreply encode functions into own file msgencode.c.
- msg_parse to queryinfo/replyinfo conversion more versatile.
- process_response, classify response, delegpt_from_message.
31 May 2007: Wouter
- querytargets state.
- dname_subdomain_c() routine.
- server selection, based on RTT. ip6 is filtered out if not available,
and lameness is checked too.
- delegation point copy routine.
30 May 2007: Wouter
- removed FLAG_CD from message and rrset caches. This was useful for
an agnostic forwarder, but not for a sophisticated (trust value per
rrset enabled) cache.
- iterator response typing.
- iterator cname handle.
- iterator prime start.
- subquery work.
- processInitRequest and processInitRequest2.
- cache synthesizes referral messages, with DS and NSEC.
- processInitRequest3.
- if a request creates multiple subrequests these are all activated.
29 May 2007: Wouter
- routines to lock and unlock array of rrsets moved to cache/rrset.
- lookup message from msg cache (and copy to region).
- fixed cast error in dns msg lookup.
- message with duplicate rrset does not increase its TTLs twice.
- 'qnamesize' changed to 'qname_len' for similar naming scheme.
25 May 2007: Wouter
- Acknowledge use of unbound-java code in iterator. Nicer readme.
- services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
rrset cache from module environment.
- packed rrset key has type and class as easily accessible struct
members. They are still kept in network format for fast msg encode.
- dns cache find_delegation routine.
- iterator main functions setup.
- dns cache lookup setup.
24 May 2007: Wouter
- small changes to prepare for subqueries.
- iterator forwarder feature separated out.
- iterator hints stub code, config file stub code, so that first
testing can proceed locally.
- replay tests now have config option to enable forwarding mode.
23 May 2007: Wouter
- outside network does precise timers for roundtrip estimates for rtt
and for setting timeout for UDP. Pending_udp takes milliseconds.
- cleaner iterator sockaddr conversion of forwarder address.
- iterator/iter_utils and iter_delegpt setup.
- root hints.
22 May 2007: Wouter
- outbound query list for modules and support to callback with the
outbound entry to the module.
- testbound support for new serviced queries.
- test for retry to TCP cannot use testbound any longer.
- testns test for EDNS fallback, test for TCP fallback already exists.
- fixes for no-locking compile.
- mini_event timer precision and fix for change in timeouts during
timeout callback. Fix for fwd_three tests, performed nonexit query.
21 May 2007: Wouter
- small comment on hash table locking.
- outside network serviced queries, contain edns and tcp fallback,
and udp retries and rtt timing.
16 May 2007: Wouter
- lruhash_touch() would cause locking order problems. Fixup in
lock-verify in case locking cycle is found.
- services/cache/rrset.c for rrset cache code.
- special rrset_cache LRU updating function that uses the rrset id.
- no dependencies calculation when make clean is called.
- config settings for infra cache.
- daemon code slightly cleaner, only creates caches once.
15 May 2007: Wouter
- host cache code.
- unit test for host cache.
14 May 2007: Wouter
- Port to OS/X and Dec Alpha. Printf format and alignment fixes.
- extensive lock debug report on join timeout.
- proper RTT calculation, in utility code.
- setup of services/cache/infra, host cache.
11 May 2007: Wouter
- iterator/iterator.c module.
- fixup to pass reply_info in testcode and in netevent.
10 May 2007: Wouter
- created release-0.3 svn tag.
- util/module.h
- fixed compression - no longer compresses root name.
9 May 2007: Wouter
- outside network cleans up waiting tcp queries on exit.
- fallback to TCP.
- testbound replay with retry in TCP mode.
- tpkg test for retry in TCP mode, against ldns-testns server.
- daemon checks max number of open files and complains if not enough.
- test where data expires in the cache.
- compiletests: fixed empty body ifstatements in alloc.c, in case
locks are disabled.
8 May 2007: Wouter
- outgoing network keeps list of available tcp buffers for outgoing
tcp queries.
- outgoing-num-tcp config option.
- outgoing network keeps waiting list of queries waiting for buffer.
- netevent supports outgoing tcp commpoints, nonblocking connects.
7 May 2007: Wouter
- EDNS read from query, used to make reply smaller.
- advertised edns value constants.
- EDNS BADVERS response, if asked for too high edns version.
- EDNS extended error responses once the EDNS record from the query
has successfully been parsed.
4 May 2007: Wouter
- msgreply sizefunc is more accurate.
- config settings for rrset cache size and slabs.
- hashtable insert takes argument so that a thread can use its own
alloc cache to store released keys.
- alloc cache special_release() locks if necessary.
- rrset trustworthiness type added.
- thread keeps a scratchpad region for handling messages.
- writev used in netevent to write tcp length and data after another.
This saves a roundtrip on tcp replies.
- test for one rrset updated in the cache.
- test for one rrset which is not updated, as it is not deemed
trustworthy enough.
- test for TTL refreshed in rrset.
3 May 2007: Wouter
- fill refs. Use new parse and encode to answer queries.
- stores rrsets in cache.
- uses new msgreply format in cache.
2 May 2007: Wouter
- dname unit tests in own file and spread out neatly in functions.
- more dname unit tests.
- message encoding creates truncated TC flagged messages if they do
not fit, and will leave out (whole)rrsets from additional if needed.
1 May 2007: Wouter
- decompress query section, extremely lenient acceptance.
But only for answers from other servers, not for plain queries.
- compression and decompression test cases.
- some stats added.
- example.conf interface: line is changed from 127.0.0.1 which leads
to problems if used (restricting communication to the localhost),
to a documentation and test address.
27 April 2007: Wouter
- removed iov usage, it is not good for dns message encoding.
- owner name compression more optimal.
- rrsig owner name compression.
- rdata domain name compression.
26 April 2007: Wouter
- floating point exception fix in lock-verify.
- lint uses make dependency
- fixup lint in dname owner domain name compression code.
- define for offset range that can be compressed to.
25 April 2007: Wouter
- prettier code; parse_rrset->type kept in host byte order.
- datatype used for hashvalue of converted rrsig structure.
- unit test compares edns section data too.
24 April 2007: Wouter
- ttl per RR, for RRSIG rrsets and others.
- dname_print debug function.
- if type is not known, size calc will skip DNAME decompression.
- RRSIG parsing and storing and putting in messages.
- dnssec enabled unit tests (from nlnetlabs.nl and se queries).
- EDNS extraction routine.
20 April 2007: Wouter
- code comes through all of the unit tests now.
- disabled warning about spurious extra data.
- documented the RRSIG parse plan in msgparse.h.
- rrsig reading and outputting.
19 April 2007: Wouter
- fix unit test to actually to tests.
- fix write iov helper, and fakevent code.
- extra builtin testcase (small packet).
- ttl converted to network format in packets.
- flags converted correctly
- rdatalen off by 2 error fixup.
- uses less iov space for header.
18 April 2007: Wouter
- review of msgparse code.
- smaller test cases.
17 April 2007: Wouter
- copy and decompress dnames.
- store calculated hash value too.
- routine to create message out of stored information.
- util/data/msgparse.c for message parsing code.
- unit test, and first fixes because of test.
* forgot rrset_count addition.
* did & of ptr on stack for memory position calculation.
* dname_pkt_copy forgot to read next label length.
- test from file and fixes
* double frees fixed in error conditions.
* types with less than full rdata allowed by parser.
Some dynamic update packets seem to use it.
16 April 2007: Wouter
- following a small change in LDNS, parsing code calculates the
memory size to allocate for rrs.
- code to handle ID creation.
13 April 2007: Wouter
- parse routines. Code that parses rrsets, rrs.
12 April 2007: Wouter
- dname compare routine that preserves case, with unit tests.
11 April 2007: Wouter
- parse work - dname packet parse, msgparse, querysection parse,
start of sectionparse.
10 April 2007: Wouter
- Improved alignment of reply_info packet, nice for 32 and 64 bit.
- Put RRset counts in reply_info, because the number of RRs can change
due to RRset updates.
- import of region-allocator code from nsd.
- set alloc special type to ub_packed_rrset_key.
Uses lruhash entry overflow chain next pointer in alloc cache.
- doxygen documentation for region-allocator.
- setup for parse scratch data.
5 April 2007: Wouter
- discussed packed rrset with Jelte.
4 April 2007: Wouter
- moved to version 0.3.
- added util/data/dname.c
- layout of memory for rrsets.
3 April 2007: Wouter
- detect sign of msghdr.msg_iovlen so that the cast to that type
in netevent (which is there to please lint) can be correct.
The type on several OSes ranges from int, int32, uint32, size_t.
Detects unsigned or signed using math trick.
- constants for DNS flags.
- compilation without locks fixup.
- removed include of unportable header from lookup3.c.
- more portable use of struct msghdr.
- casts for printf warning portability.
- tweaks to tests to port them to the testbed.
- 0.2 tag created.
2 April 2007: Wouter
- check sizes of udp received messages, not too short.
- review changes. Some memmoves can be memcpys: 4byte aligned.
set id correctly on cached answers.
- review changes msgreply.c, memleak on error condition. AA flag
clear on cached reply. Lowercase queries on hashing.
unit test on lowercasing. Test AA bit not set on cached reply.
Note that no TTLs are managed.
29 March 2007: Wouter
- writev or sendmsg used when answering from cache.
This avoids a copy of the data.
- do not do useless byteswap on query id. Store reply flags in uint16
for easier access (and no repeated byteswapping).
- reviewed code.
- configure detects and config.h includes sys/uio.h for writev decl.
28 March 2007: Wouter
- new config option: num-queries-per-thread.
- added tpkg test for answering three queries at the same time
using one thread (from the query service list).
27 March 2007: Wouter
- added test for cache and not cached answers, in testbound replays.
- testbound can give config file and commandline options from the
replay file to unbound.
- created test that checks if items drop out of the cache.
- added word 'partitioned hash table' to documentation on slab hash.
A slab hash is a partitioned hash table.
- worker can handle multiple queries at a time.
26 March 2007: Wouter
- config settings for slab hash message cache.
- test for cached answer.
- Fixup deleting fake answer from testbound list.
23 March 2007: Wouter
- review of yesterday's commits.
- covered up memory leak of the entry locks.
- answers from the cache correctly. Copies flags correctly.
- sanity check for incoming query replies.
- slabbed hash table. Much nicer contention, need dual cpu to see.
22 March 2007: Wouter
- AIX configure check.
- lock-verify can handle references to locks that are created
in files it has not yet read in.
- threaded hash table test.
- unit test runs lock-verify afterwards and checks result.
- need writelock to update data on hash_insert.
- message cache code, msgreply code.
21 March 2007: Wouter
- unit test of hash table, fixup locking problem in table_grow().
- fixup accounting of sizes for removing items from hashtable.
- unit test for hash table, single threaded test of integrity.
- lock-verify reports errors nicely. More quiet in operation.
16 March 2007: Wouter
- lock-verifier, checks consistent order of locking.
14 March 2007: Wouter
- hash table insert (and subroutines) and lookup implemented.
- hash table remove.
- unit tests for hash internal bin, lru functions.
13 March 2007: Wouter
- lock_unprotect in checklocks.
- util/storage/lruhash.h for LRU hash table structure.
12 March 2007: Wouter
- configure.ac moved to 0.2.
- query_info and replymsg util/data structure.
9 March 2007: Wouter
- added rwlock writelock checking.
So it will keep track of the writelock, and readlocks are enforced
to not change protected memory areas.
- log_hex function to dump hex strings to the logfile.
- checklocks zeroes its destroyed lock after checking memory areas.
- unit test for alloc.
- identifier for union in checklocks to please older compilers.
- created 0.1 tag.
8 March 2007: Wouter
- Reviewed checklock code.
7 March 2007: Wouter
- created a wrapper around thread calls that performs some basic
checking for data race and deadlock, and basic performance
contention measurement.
6 March 2007: Wouter
- Testbed works with threading (different machines, different options).
- alloc work, does the special type.
2 March 2007: Wouter
- do not compile fork funcs unless needed. Otherwise will give
type errors as their typedefs have not been enabled.
- log shows thread numbers much more nicely (and portably).
- even on systems with nonthreadsafe libevent signal handling,
unbound will exit if given a signal.
Reloads will not work, and exit is not graceful.
- start of alloc framework layout.
1 March 2007: Wouter
- Signals, libevent and threads work well, with libevent patch and
changes to code (close after event_del).
- set ipc pipes nonblocking.
27 February 2007: Wouter
- ub_thread_join portable definition.
- forking is used if no threading is available.
Tested, it works, since pipes work across processes as well.
Thread_join is replaced with waitpid.
- During reloads the daemon will temporarily handle signals,
so that they do not result in problems.
- Also randomize the outgoing port range for tests.
- If query list is full, will stop selecting listening ports for read.
This makes all threads service incoming requests, instead of one.
No memory is leaking during reloads, service of queries, etc.
- test that uses ldns-testns -f to test threading. Have to answer
three queries at the same time.
- with verbose=0 operates quietly.
26 February 2007: Wouter
- ub_random code used to select ID and port.
- log code prints thread id.
- unbound can thread itself, with reload(HUP) and quit working
correctly.
- don't open pipes for #0, doesn't need it.
- listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
23 February 2007: Wouter
- Can do reloads on sigHUP. Everything is stopped, and freed,
except the listening ports. Then the config file is reread.
And everything is started again (and listening ports if needed).
- Ports for queries are shared.
- config file added interface:, chroot: and username:.
- config file: directory, logfile, pidfile. And they work too.
- will daemonize by default now. Use -d to stay in the foreground.
- got BSD random[256 state] code, made it threadsafe. util/random.
22 February 2007: Wouter
- Have a config file. Removed commandline options, moved to config.
- tests use config file.
21 February 2007: Wouter
- put -c option in man page.
- minievent fd array capped by FD_SETSIZE.
20 February 2007: Wouter
- Added locks code and pthread spinlock detection.
- can use no locks, or solaris native thread library.
- added yacc and lex configure, and config file parsing code.
also makedist.sh, and manpage.
- put include errno.h in config.h
19 February 2007: Wouter
- Created 0.0 svn tag.
- added acx_pthread.m4 autoconf check for pthreads from
the autoconf archive. It is GPL-with-autoconf-exception Licensed.
You can specify --with-pthreads, or --without-pthreads to configure.
16 February 2007: Wouter
- Updated testbed script, works better by using make on remote end.
- removed check decls, we can compile without them.
- makefile supports LIBOBJ replacements.
- docs checks ignore compat code.
- added util/mini-event.c and .h, a select based alternative used with
./configure --with-libevent=no
It is limited to 1024 file descriptors, and has less features.
- will not create ip6 sockets if ip6 not on the machine.
15 February 2007: Wouter
- port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
Solaris 9, FreeBSD 6, Linux i386 and OSX powerpc.
- malloc rndstate, so that it is aligned for access.
- fixed rbtree cleanup with postorder traverse.
- fixed pending messages are deleted when handled.
- You can control verbosity; default is not verbose, every -v
adds more verbosity.
14 February 2007: Wouter
- Included configure.ac changes from ldns.
- detect (some) headers before the standards check.
- do not use isblank to test c99, since its not available on solaris9.
- review of testcode.
* entries in a RANGE are no longer reversed.
* print name of file with replay entry parse errors.
- port to OSX: cast to int for some prints of sizet.
- Makefile copies ldnstestpkts.c before doing dependencies on it.
13 February 2007: Wouter
- work on fake events, first fwd replay works.
- events can do timeouts and errors on queries to servers.
- test package that runs replay scenarios.
12 February 2007: Wouter
- work on fake events.
9 February 2007: Wouter
- replay file reading.
- fake event setup, it creates fake structures, and teardowns,
added signal callbacks to reply to be able to fake those,
and main structure of event replay routines.
8 February 2007: Wouter
- added tcp test.
- replay storage.
- testcode/fake_event work.
7 February 2007: Wouter
- return answer with the same ID as query was sent with.
- created udp forwarder test. I've done some effort to make it perform
quickly. After servers are created, no big sleep statements but
it checks the logfiles to see if servers have come up. Takes 0.14s.
- set addrlen value when calling recvfrom.
- comparison of addrs more portable.
- LIBEVENT option for testbed to set libevent directory.
- work on tcp input.
6 February 2007: Wouter
- reviewed code and improved in places.
5 February 2007: Wouter
- Picked up stdc99 and other define tests from ldns. Improved
POSIX define test to include getaddrinfo.
- defined constants for netevent callback error code.
- unit test for strisip6.
2 February 2007: Wouter
- Created udp4 and udp6 port arrays to provide service for both
address families.
- uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
- listens on both ip4 and ip6 ports to provide correct return address.
- worker fwder address filled correctly.
- fixup timer code.
- forwards udp queries and sends answer.
1 February 2007: Wouter
- outside network more UDP work.
- moved * closer to type.
- comm_timer object and events.
31 January 2007: Wouter
- Added makedist.sh script to make release tarball.
- Removed listen callback layer, did not add anything.
- Added UDP recv to netevent, worker callback for udp.
- netevent communication reply storage structure.
- minimal query header sanity checking for worker.
- copied over rbtree implementation from NSD (BSD licensed too).
- outgoing network query service work.
30 January 2007: Wouter
- links in example/ldns-testpkts.c and .h for premade packet support.
- added callback argument to listen_dnsport and daemon/worker.
29 January 2007: Wouter
- unbound.8 a short manpage.
26 January 2007: Wouter
- fixed memleak.
- make lint works on BSD and Linux (openssl defines).
- make tags works.
- testbound program start.
25 January 2007: Wouter
- fixed lint so it may work on BSD.
- put license into header of every file.
- created verbosity flag.
- fixed libevent configure flag.
- detects event_base_free() in new libevent 1.2 version.
- getopt in daemon. fatal_exit() and verbose() logging funcs.
- created log_assert, that throws assertions to the logfile.
- listen_dnsport service. Binds ports.
24 January 2007: Wouter
- cleaned up configure.ac.
23 January 2007: Wouter
- added libevent to configure to link with.
- util/netevent setup work.
- configure searches for libevent.
- search for libs at end of configure (when other headers and types
have been found).
- doxygen works with ATTR_UNUSED().
- util/netevent implementation.
22 January 2007: Wouter
- Designed header file for network communication.
16 January 2007: Wouter
- added readme.svn and readme.tests.
4 January 2007: Wouter
- Testbed script (run on multiple platforms the test set).
Works on Sunos9, Sunos10, FreeBSD 6.1, Fedora core 5.
- added unit test tpkg.
3 January 2007: Wouter
- committed first set of files into subversion repository.
svn co svn+ssh://unbound.net/svn/unbound
You need a ssh login. There is no https access yet.
- Added LICENSE, the BSD license.
- Added doc/README with compile help.
- main program stub and quiet makefile.
- minimal logging service (to stderr).
- added postcommit hook that serves emails.
- added first test 00-lint. postcommit also checks if build succeeds.
- 01-doc: doxygen doc target added for html docs. And stringent test
on documented files, functions and parameters.
15 December 2006: Wouter
- Created Makefile.in and configure.ac.
|