Tags: NLnetLabs/unbound
Tags
Unbound 1.20.0 This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much. To mitigate the issue new configuration options are introduced. The options `discard-timeout: 1900`, `wait-limit: 1000` and `wait-limit-cookie: 10000` are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config `wait-limit-netblock` and `wait-limit-cookie-netblock` the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down. Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAMEs. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anchor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anchor needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead of the opposite. The option `cache-min-negative-ttl` can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl but not specifically for negative responses. The option `cachedb-check-when-serve-expired` option makes Unbound use cachedb to check for expired responses, when `serve-expired` is enabled, and cachedb is used. It is enabled by default. The `-q` option for unbound-checkconf can be added to silence it when there are no errors. The DNSBomb vulnerability CVE-2024-33655. == Summary The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets. Unbound itself is not vulnerable for DoS, rather it can be used to take part in a pulsing DoS amplification attack. Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. == Affected products Unbound up to and including 1.19.3. == Description The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses. From version 1.20.0 on, Unbound introduces a couple of configuration options to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience: * discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts. * wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits. * wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies. The options above are trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. == Acknowledgements We would like to thank Xiang Li from the Network and Information Security Lab of Tsinghua University for discovering and disclosing the attack. Features - The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. - Merge #1027: Introduce 'cache-min-negative-ttl' option. - Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. - Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. - Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. - Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. - Remove unused portion from iter_dname_ttl unit test. - Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. - Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. - Fix doc test so it ignores but outputs unsupported doxygen options. - Fix #1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. - Merge #1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. - Fix #1029: rpz trigger clientip and action rpz-passthru not working as expected. - Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. - Fix to unify codepath for local alias for rpz cname action override. - Fix rpz for cname override action after nsdname and nsip triggers. - Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. - Merge #1030: Persist the openssl and expat directories for repeated Windows builds. - Fix that rpz CNAME content is limited to the max number of cnames. - Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. - Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. - Add rpz unit test for nsip action override. - Fix rpz for qtype CNAME after nameserver trigger. - Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. - Fix localdata and rpz localdata to match CNAME only if no direct type match is available. - Merge #831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). - For #831: Format text, use exclamation icon and explicit label names. - Fix name of unit test for subnet cache response. - Fix #1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. - Fix for #1032, add safeguard to make table space positive. - Fix comment in lruhash space function. - Fix to add unit test for lruhash space that exercises the routines. - Fix that when the server truncates the pidfile, it does not follow symbolic links. - Fix that the server does not chown the pidfile. - Fix #1034: DoT forward-zone via unbound-control. - Fix for crypto related failures to have a better error string. - Fix #1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. - Fix #369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. - Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. - For #1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. - Fix comment syntax for view function views_find_view. - Fix #595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. - Fixup compile without cachedb. - Add test for cachedb serve expired. - Extended test for cachedb serve expired. - Fix makefile dependencies for fake_event.c. - Fix cachedb for serve-expired with serve-expired-reply-ttl. - Fix to not reply serve expired unless enabled for cachedb. - Fix cachedb for serve-expired with serve-expired-client-timeout. - Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. - Fixup cachedb to not refetch when serve-expired-client-timeout is used. - Merge #1049 from Petr Menšík: Py_NoSiteFlag is not needed since Python 3.8 - Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4. - Fix configure, autoconf for #1048. - Add checklock feature verbose_locking to trace locks and unlocks. - Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. - Merge #1053: Remove child delegations from cache when grandchild delegations are returned from parent. - Fix ci workflow for macos for moved install locations. - Fix configure flto check error, by finding grep for it. - Merge #1041: Stub and Forward unshare. This has one structure for them and fixes #1038: fatal error: Could not initialize thread / error: reading root hints. - Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument. - Fix doc unit test for out of directory build. - Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires. - Add unit tests for cachedb and subnet cache expired data. - Man page entry for unbound-checkconf -q. - Cleanup unnecessary strdup calls for EDE strings. - Fix doxygen comment for errinf_to_str_bogus.
Unbound 1.19.3 This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0. There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired. For dnstap, it logs type DoH and DoT correctly, if that is used for the message. The b.root-servers.net address is updated in the default root hints. When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size. Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries. Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers. Features: - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. Bug Fixes: - Fix unit test parse of origin syntax. - Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. - Fix #964: config.h.in~ backup file in release tar balls. - Merge #968: Replace the obsolescent fgrep with grep -F in tests. - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. - Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. - Fix to sync the tests script file common.sh. - iana portlist update. - Updated IPv4 and IPv6 address for b.root-servers.net in root hints. - Update test script file common.sh. - Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. - Fix #974: doc: default number of outgoing ports without libevent. - Merge #975: Fixed some syntax errors in rpl files. - Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. - Update example.conf with cookie options. - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. - Merge #985: Add DoH and DoT to dnstap message. - Fix #983: Sha1 runtime insecure change was incomplete. - Remove unneeded newlines and improve indentation in remote control code. - Merge #987: skip edns frag retry if advertised udp payload size is not smaller. - Fix unit test for #987 change in udp1xxx retry packet send. - Merge #988: Fix #981: dump_cache truncates large records. - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. - Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. - Merge #993: Update b.root-servers.net also in example config file. - Update workflow for ports to use newer openssl on windows compile. - Fix warning for windres on resource files due to redefinition. - Fix for #997: Print details for SSL certificate failure. - Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). - Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). - Merge #999: Search for protobuf-c with pkg-config. - Fix #1006: Can't find protobuf-c package since #999. - Fix documentation for access-control in the unbound.conf man page. - Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. - Document the suspend argument for process_ds_response(). - Move github workflows to use checkoutv4. - Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. - Fix for #1022: Fix ede prohibited in access control refused answers. - Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. - Fix TTL of synthesized CNAME when a DNAME is used from cache. - Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has.
Unbound 1.19.2 This security release fixes CVE-2024-1931. NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration. From version 1.19.2 on, the code is fixed to avoid looping indefinitely. We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for notifying us about the issue and working with us to identify the vulnerability. Bug Fixes: - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies.
Unbound 1.19.1 This security release fixes two DNSSEC validation vulnerabilities: CVE-2023-50387 (referred here as the KeyTrap vulnerability) and CVE-2023-50868 (referred here as the NSEC3 vulnerability). The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path. The NSEC3 vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path. Both can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service. From version 1.19.1 on, Unbound introduces suspension on DNSSEC response validations that seem to require more attempts than Unbound is willing to make per response validation run. Suspension means that Unbound will continue with other work before resuming a suspended validation offering CPU time between validation resumptions to other tasks. There is a backoff timer when suspending which is further influenced by the number of suspends already used and the amount of work currently in Unbound. The introduced builtin limits in Unbound are: - Max 4 DNSSEC key collissions are allowed when building chain of trust. More than that without a secure key treats the delegation as bogus. - 8 validation attempts per RRSET (combination of keys + signatures). If more are needed and Unbound has yet to find a valid signature the RRSET is treated as bogus. - More than 8 validation attempts per answer will suspend validation. - 8 NSEC3 hash calculations are allowed before suspension. More than that will suspend validation. - The limit of total suspensions is 16 after which the query will error out. Any completed RRSET validations populate the cache for use in future queries. While under attack Unbound could show higher CPU load because of the needed validations but the suspend strategy would guarantee the CPU is not locked on any particular validation task. We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for discovering and responsibly disclosing the KeyTrap vulnerability. We would like to thank Petr Špaček from ISC for discovering and responsibly disclosing the NSEC3 vulnerability. Bug Fixes - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers. - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
Unbound 1.19.0 This release fixes a number of bugs, and adds some smaller features. The redis-logical-db option and cachedb-no-store option can be used for cachedb configuration. The disable-edns-do option can be used for working around broken network parts. For DNS64 there is fallback to plain AAAA when no A record exists. There is a bug fix that when the UDP interface keeps returning that sending is not possible, unbound does not loop endlessly and waits for the condition to go away. Resource records of type A and AAAA that are an inappropriate length are removed from responses. This hardens against bad content. Features - Fix #850: [FR] Ability to use specific database in Redis, with new redis-logical-db configuration option. - Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no - Expose the script filename in the Python module environment 'mod_env' instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes #79. - Expose the configured listening and outgoing interfaces, if any, as a list of strings in the Python 'config_file' class instead of the current Swig object proxy; fixes #79. - Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when no A record exists for synthesis, and minor DNS64 code refactoring for better readability. - Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no. Bug Fixes - Fix for version generation race condition that ignored changes. - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. - Fix for WKS call to getservbyname that creates allocation on exit in unit test by testing numbers first and testing from the services list later. - Fix autoconf 2.69 warnings in configure. - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1. - Merge #931: Prevent warnings from -Wmissing-prototypes. - Fix to scrub resource records of type A and AAAA that have an inappropriate size. They are removed from responses. - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c. - Fix to add EDE text when RRs have been removed due to length. - Fix to set ede match in unit test for rr length removal. - Fix to print EDE text in readable form in output logs. - Fix send of udp retries when ENOBUFS is returned. It stops looping and also waits for the condition to go away. Reported by Florian Obser. - Fix authority zone answers for obscured DNAMEs and delegations. - Merge #936: Check for c99 with autoconf versions prior to 2.70. - Fix to remove two c99 notations. - Fix rpz tcp-only action with rpz triggers nsdname and nsip. - Fix misplaced comment. - Merge #881: Generalise the proxy protocol code. - Fix #946: Forwarder returns servfail on upstream response noerror no data. - Fix edns subnet so that queries with a source prefix of zero cause the recursor send no edns subnet option to the upstream. - Fix that printout of EDNS options shows the EDNS cookie option by name. - Fix infinite loop when reading multiple lines of input on a broken remote control socket. Addesses #947 and #948. - Fix #949: "could not create control compt". - Fix that cachedb does not warn when serve-expired is disabled about use of serve-expired-reply-ttl and serve-expired-client-timeout. - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x. - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the same as transmission end. Addesses #947 and #948. - For multi Python module setups, clean previously parsed module functions in __main__'s dictionary, if any, so that only current module functions are registered. - Fix #954: Inconsistent RPZ handling for A record returned along with CNAME. - Fixes for the DNS64 patches. - Update the dns64_lookup.rpl test for the DNS64 fallback patch. - Merge #955 from buevsan: fix ipset wrong behavior. - Update testdata/ipset.tdir test for ipset fix. - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. - Clearer configure text for missing protobuf-c development libraries. - autoconf. - Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default declaration. - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by dukeartem to also fix the udp_ancil with dnscrypt. - Fix SSL compile failure for definition in log_crypto_err_io_code_arg. - Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg. - Fix compilation without openssl, remove unused function warning. - Mention flex and bison in README.md when building from repository source.
Unbound 1.18.0 This release adds DNS cookies downstream, support to respond with EDE error codes from cache, NAT64 support, and the capability to use a socket queue timeout to discard old packets, and other features and bug fixes. The downstream DNS server cookies are from RFC7873 and RFC9018, it is turned on with `answer-cookie: yes`. It generates a random cookie secret, but for anycast setups the cookie secret can be configured with `cookie-secret: "128bithex"` with the same value as the other instances. Non cookie traffic can be disallowed with the `allow_cookie` acl option for access-control. Queries with valid cookie bypass the ordinary ratelimit, but a ratelimit can be configured for cookie queries with `ip-ratelimit-cookie: 100`. The statistics has counters for `query_cookie_valid` and `query_cookie_client` and `query_cookie_invalid`. When queries come in with CD flag, a DNSSEC validation EDE can be returned, with information regarding a failure. EDE error information is also stored in the cache with the query responses. There is also EDE error information stored for the cachedb and the subnetcache. There is NAT64 support, that is enabled with `do-nat64: yes`. The NAT64 prefix can be configured too, if not the default `nat64-prefix: 64:ff9b::0/96`. This is useful for an IPv6 only host where Unbound is running, so that Unbound can use NAT64 to connect to IPv4 servers. The new default for the maximum UDP response size is 1232, with `max-udp-size: 1232`. This is similar to other resolvers. The new default is smaller and that makes it harder to get large responses. Thanks to Xiang Li, from NISL Lab, Tsinghua University. There is a new option `harden-unknown-additional: yes`. This removes unknown records from the authority and additional section. This stops unknown records from being copied from the upstream to the downstream client, potentially exposing those clients to the extra records. Default is no, because it could hamper future protocol developments that want to add records. Thanks to Xiang Li, from NISL Lab, Tsinghua University. With the `sock-queue-timeout: 3` option kernel timestamps are turned on for UDP queries, and old packets are dropped. Queries that have waited in the socket buffer for a long time are then discarded, and is useful if the host was not running for a while. The statistics has `num.queries_timed_out` and `query.queue_time_us.max` counters. The local-zone type `block_a` is for when queries to IPv4 have to be stopped to force IPv6 usage. It stops type A queries with nodata, and transparently allows other queries. The redis server can be contacted over a unix socket with `redis-server-path: "/var/lib/redis/redis-server.sock"`. The redis server password can be configured with `redis-server-password: "password"`. The number of hashtable collisions is logged in the statistics counters `msg.cache.max_collisions` and `rrset.cache.max_collisions`. It can be used to monitor for mistakes where the wrong or same hash value occurs too frequently. The repository does not have the bison and flex generated output in it, so these tools are necessary to compile from a checkout, the tarball distribution contains pregenerated files and can use either those files or bison and flex tools on the compile system. If kernel timestamps are enabled, with the sock-queue-timeout option, they are also used to set the time for dnstap logs. There is a yocto compatible init script available in the contrib directory of the source code, `unbound.init_yocto`. The number of cachedb hits from cache is output in `num.query.cachedb`. There is support for the dohpath parameter for the SVCB record type. Prefetch is supported for subnet cache entries. Detection of the python paths on the system has been expanded. Features - Merge #826: Аdd a metric about the maximum number of collisions in lrushah. - Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. The new choice, down from 4096 means it is harder to get large responses from Unbound. Thanks to Xiang Li, from NISL Lab, Tsinghua University. - Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. Thanks to Xiang Li, from NISL Lab, Tsinghua University. - Merge #819: Added new static zone type block_a to suppress all A queries for specific zones. - Fix #835: [FR] Ability to use Redis unix sockets. - Fix #833: [FR] Ability to set the Redis password. - Merge #882 from vvfedorenko: Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts. - Merge #722 from David 'eqvinox' Lamparter: NAT64 support. - Fix #888: [FR] Use kernel timestamps for dnstap. - Merge #903: contrib: add yocto compatible init script. - Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter. - Merge #739: Add SVCB dohpath support. - Merge #802: add validation EDEs to queries where the CD bit is set. - Merge #664 from tilan7763: Add prefetch support for subnet cache entries. - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching. - Merge #790 from Tom Carpay: Add support for EDE caching in cachedb and subnetcache. - Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. A `cookie-secret:` can be configured for anycast setups. Without one, a random cookie secret is generated. The acl option `allow_cookie` allows queries with either a valid cookie or over a stateful transport. The statistics output has `queries_cookie_valid` and `queries_cookie_client` and `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:` value determines a rate limit for queries with cookies, if desired. Bug Fixes - Fix #823: Response change to NODATA for some ANY queries since 1.12, tested on 1.16.1. - Fix python module install path detection. - Fix python version detection in configure. - Improve documentation for #826, describe the large collisions amount. - Fix not following cleared RD flags potentially enables amplification DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, Tsinghua University. The fix stops query loops, by refusing to send RD=0 queries to a forwarder, they still get answered from cache. - Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments. - Fix test for new default. - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes. - Add duration variable for speed_local.test. - Fix #841: Unbound won't build with aaaa-filter-iterator.patch. - Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content. - Fix unit tests for spurious empty messages. - Fix consistency of unit test without roundrobin answers for the cnametooptout unit test. - Fix to git ignore the library symbol file that configure can create. - Allow TTL refresh of expired error responses. - Add testcase for refreshing expired error responses. - Clean up iterator/iterator.c::error_response_cache() and allow for better interaction with serve-expired, prefetch and cached error responses. - Fix #825: Unexpected behavior with client-subnet-always-forward and serve-expired - Fix for #852: Completion of error handling. - Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly. - Fix ssl.h include brackets, instead of quotes. - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option to ignore the unexpected eof while reading in openssl >= 3. - iana portlist update. - Fix issue #851: reserved identifier violation - Fix issue #676: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle - Extra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error. - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record. - Fix for #870: Add test case for the qname minimisation and CNAME. - Fix build badge, from failing travis link to github ci action link. - Merge #875: change obsolete txt URL in unbound-anchor.c to point to RFC 7958, and Fix #874. - Fix for #878: Invalid IP address in unbound.conf causes Segmentation Fault on OpenBSD. - Fix for #882: small changes, date updated in Copyright for util/timeval_func.c and util/timeval_func.h. Man page entries and example entry. - Fix for #882: document variable to stop doxygen warning. - Fix issue #860: Bad interaction with 0 TTL records and serve-expired - Fix RPZ IP responses with trigger rpz-drop on cache entries, that they are dropped. - For #722: minor fixes, formatting, refactoring. - Fix #885: Error: util/configlexer.c: No such file or directory, adds error messages explaining to install flex and bison. - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h. - Fix doxygen in addr_to_nat64 header definition. - Fix warning in windows compile, in set_recvtimestamp. - Fix to print debug log for ancillary data with correct IP address. - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR. - Fix to remove unused variables from RPZ clientip data structure. - Fix unbound-dnstap-socket printout when no query is present. - Fix unbound-dnstap-socket time fraction conversion for printout. - Merge #896: Fix: #895: pythonmodule: add all site-packages directories to sys.path. - Fix #895: python + sysconfig gives ANOTHER path comparing to distutils. - Fix for uncertain unit test for doh buffer size events. - Properly handle all return values of worker_check_request during early EDE code. - Do not check the incoming request more than once. - Fix for issue #887 (Timeouts to forward servers on BSD based system with ASLR) - Probably fixes #516 (Stream reuse does not work on Windows) as well - Remove warning about unknown cast-function-type warning pragma. - Fix python modules with multiple scripts, by incrementing reference counts. - More fixes for reference counting for python module and clean up failure code. - Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading which causes memory leaks. - Fix #906: warning: ‘Py_SetProgramName’ is deprecated. - Fix dereference of NULL variable warning in mesh_do_callback. - Code cleanup for sldns_str2wire_svcparam_key_lookup. - For #802: Cleanup comments and add RCODE check for CD bit test case. - Skip the 00-lint test. splint is not maintained; it either does not work or produces false positives. Static analysis is handled in the clang test. - For #664: Easier code flow for subnetcache prefetching. - For #664: Add testcase. - For #664: Rename subnet_prefetch tests to subnet_global_prefetch to differentiate from the new subnet prefetch support. - Merge #880 from chipitsine: services/authzone.c: remove redundant check. - More clear description of the different auth-zone behaviors on the man page. - Merge #909 from headshog: Numeric truncation when parsing TYPEXX and CLASSXX representation. - For #909: Fix return values. - Merge #901 from Sergei Trofimovich: config: improve handling of unknown modules. - For #909: Fix RR class comparison. - Merge #857 from eaglegai: fix potential memory leaks when errors happen. - For #857: fix mixed declarations and code. - Merge #118 from mibere: Changed verbosity level for Redis init & deinit. - Merge #390 from Frank Riley: Add missing callbacks to the python module. - Cleaner failure code for callback functions in interface.i. - Merge #889 from borisVanhoof: Free memory in error case + remove unused function. - For #889: use netcat-openbsd instead of netcat-traditional. - For #889: Account for num_detached_states before possible mesh_state_delete when erroring out. - Fix unused variable compile warning for kernel timestamps in netevent.c - Merge #911 from natalie-reece: Exclude EDE before other EDNS options when there isn't enough space. - For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options altogether) before giving up on attaching EDE options. - More braces and formatting for Fix for EDNS EDE size calculation to avoid future bugs. - Fix to use the now cached EDE, if any, for CD_bit queries. - Fix for EDNS EDE size calculation. - Move a cache reply callback in worker.c closer to the cache reply generation. - Fix regional_alloc_init for potential unaligned source of the copy. - Fix ip_ratelimit test to work with dig that enables DNS cookies. - Fix for iter_dec_attempts that could cause a hang, part of capsforid and qname minimisation, depending on the settings. - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg. - Fix stat_values test to work with dig that enables DNS cookies. - Debug Windows ci workflow. - Fix windows ci workflow to install bison and flex. - Fix for #925: unbound.service: Main process exited, code=killed, status=11/SEGV. Fixes cachedb configuration handling. - Fix #923: processQueryResponse() THROWAWAY should be mindful of fail_reply. - Fix unit test for unbound-control to work when threads are disabled, and fix cache dump check. - Fix compile error on NetBSD in util/netevent.h.
PreviousNext