Software-update: Unbound 1.18.0
Als je een dns-look-up uitvoert, begint een recursor in eerste instantie met het stellen van de look-upvraag aan een dns-rootserver. Deze kan dan doorverwijzen naar andere servers, vanaf waar weer doorverwezen kan worden naar andere servers enzovoort, totdat uiteindelijk een server is bereikt die het antwoord weet of weet dat de look-up niet mogelijk is. Van dit laatste kan sprake zijn als de naam niet bestaat of de servers niet reageren. Het proces van het langslopen van verschillende authoritative servers heet recursie. Unbound is een dns-recursor met ondersteuning voor moderne standaarden, zoals Query Name Minimisation, Aggressive Use of Dnssec-Validated Cache en authority zones. De ontwikkelaars hebben versie 1.18.0 uitgebracht en hierin zijn de volgende veranderingen en verbeteringen aangebracht:
FeaturesMerge #826: Аdd a metric about the maximum number of collisions in lrushah.Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. The new choice, down from 4096 means it is harder to get large responses from Unbound. Thanks to Xiang Li, from NISL Lab, Tsinghua University.Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. Thanks to Xiang Li, from NISL Lab, Tsinghua University.Merge #819: Added new static zone type block_a to suppress all A queries for specific zones.Fix #835: [FR] Ability to use Redis unix sockets.Fix #833: [FR] Ability to set the Redis password.Merge #882 from vvfedorenko: Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts.Merge #722 from David 'eqvinox' Lamparter: NAT64 support.Fix #888: [FR] Use kernel timestamps for dnstap.Merge #903: contrib: add yocto compatible init script.Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter.Merge #739: Add SVCB dohpath support.Merge #802: add validation EDEs to queries where the CD bit is set.Merge #664 from tilan7763: Add prefetch support for subnet cache entries.Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.Merge #790 from Tom Carpay: Add support for EDE caching in cachedb and subnetcache.Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. A `cookie-secret:` can be configured for anycast setups. Without one, a random cookie secret is generated. The acl option `allow_cookie` allows queries with either a valid cookie or over a stateful transport. The statistics output has `queries_cookie_valid` and `queries_cookie_client` and `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:` value determines a rate limit for queries with cookies, if desired.
Merge #826: Аdd a metric about the maximum number of collisions in lrushah.Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices, and makes unbound behave similar to other DNS resolvers. The new choice, down from 4096 means it is harder to get large responses from Unbound. Thanks to Xiang Li, from NISL Lab, Tsinghua University.Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. Thanks to Xiang Li, from NISL Lab, Tsinghua University.Merge #819: Added new static zone type block_a to suppress all A queries for specific zones.Fix #835: [FR] Ability to use Redis unix sockets.Fix #833: [FR] Ability to set the Redis password.Merge #882 from vvfedorenko: Features/dropqueuedpackets, with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts.Merge #722 from David 'eqvinox' Lamparter: NAT64 support.Fix #888: [FR] Use kernel timestamps for dnstap.Merge #903: contrib: add yocto compatible init script.Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as a new statistical counter.Merge #739: Add SVCB dohpath support.Merge #802: add validation EDEs to queries where the CD bit is set.Merge #664 from tilan7763: Add prefetch support for subnet cache entries.Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.Merge #790 from Tom Carpay: Add support for EDE caching in cachedb and subnetcache.Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. A `cookie-secret:` can be configured for anycast setups. Without one, a random cookie secret is generated. The acl option `allow_cookie` allows queries with either a valid cookie or over a stateful transport. The statistics output has `queries_cookie_valid` and `queries_cookie_client` and `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:` value determines a rate limit for queries with cookies, if desired.Bug FixesFix #823: Response change to NODATA for some ANY queries since 1.12, tested on 1.16.1.Fix python module install path detection.Fix python version detection in configure.Improve documentation for #826, describe the large collisions amount.Fix not following cleared RD flags potentially enables amplification DDoS attacks, reported by Xiang Li and Wei Xu from NISL Lab, Tsinghua University. The fix stops query loops, by refusing to send RD=0 queries to a forwarder, they still get answered from cache.Set default for harden-unknown-additional to no. So that it does not hamper future protocol developments.Fix test for new default.Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.Add duration variable for speed_local.test.Fix #841: Unbound won't build with aaaa-filter-iterator.patch.Fix to ignore entirely empty responses, and try at another authority. This turns completely empty responses, a type of noerror/nodata into a servfail, but they do not conform to RFC2308, and the retry can fetch improved content.Fix unit tests for spurious empty messages.Fix consistency of unit test without roundrobin answers for the cnametooptout unit test.Fix to git ignore the library symbol file that configure can create.Allow TTL refresh of expired error responses.Add testcase for refreshing expired error responses.Clean up iterator/iterator.c::error_response_cache() and allow for better interaction with serve-expired, prefetch and cached error responses.Fix #825: Unexpected behavior with client-subnet-always-forward and serve-expiredFix for #852: Completion of error handling.Fix unbound-dnstap-socket test program to reply the finish frame over a TLS connection correctly.Fix ssl.h include brackets, instead of quotes.Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option to ignore the unexpected eof while reading in openssl >= 3.iana portlist update.Fix issue #851: reserved identifier violationFix issue #676: Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundleExtra consistency check to make sure that when TLS is requested, either we set up a TLS connection or we return an error.Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.Fix for #870: Add test case for the qname minimisation and CNAME.Fix build badge, from failing travis link to github ci action link.Merge #875: change obsolete txt URL in unbound-anchor.c to point to RFC 7958, and Fix #874.Fix for #878: Invalid IP address in unbound.conf causes Segmentation Fault on OpenBSD.Fix for #882: small changes, date updated in Copyright for util/timeval_func.c and util/timeval_func.h. Man page entries and example entry.Fix for #882: document variable to stop doxygen warning.Fix issue #860: Bad interaction with 0 TTL records and serve-expiredFix RPZ IP responses with trigger rpz-drop on cache entries, that they are dropped.For #722: minor fixes, formatting, refactoring.Fix #885: Error: util/configlexer.c: No such file or directory, adds error messages explaining to install flex and bison.Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.Fix doxygen in addr_to_nat64 header definition.Fix warning in windows compile, in set_recvtimestamp.Fix to print debug log for ancillary data with correct IP address.Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.Fix to remove unused variables from RPZ clientip data structure.Fix unbound-dnstap-socket printout when no query is present.Fix unbound-dnstap-socket time fraction conversion for printout.Merge #896: Fix: #895: pythonmodule: add all site-packages directories to sys.path.Fix #895: python + sysconfig gives ANOTHER path comparing to distutils.Fix for uncertain unit test for doh buffer size events.Properly handle all return values of worker_check_request during early EDE code.Do not check the incoming request more than once.Fix for issue #887 (Timeouts to forward servers on BSD based system with ASLR)Probably fixes #516 (Stream reuse does not work on Windows) as wellRemove warning about unknown cast-function-type warning pragma.Fix python modules with multiple scripts, by incrementing reference counts.More fixes for reference counting for python module and clean up failure code.Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading which causes memory leaks.Fix #906: warning: ‘Py_SetProgramName’ is deprecated
Source: Tweakers.net