Name: unbound	Distribution: openSUSE Tumbleweed
Version: 1.24.0	Vendor: openSUSE
Release: 1.1	Build date: Wed Sep 24 12:54:29 2025
Group: Productivity/Networking/DNS/Servers	Build host: reproducible
Size: 3445167	Source RPM: unbound-1.24.0-1.1.src.rpm
Packager: http://bugs.opensuse.org
Url: https://www.unbound.net/
Summary: Validating, recursive, and caching DNS(SEC) resolver

Unbound is a validating, recursive, and caching DNS(SEC) resolver.

The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.

Provides

Requires

License

BSD-3-Clause

Changelog

* Wed Sep 24 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.24.0:
Features:
* Increase default to num-queries-per-thread: 2048, when unbound
is compiled with libevent. It makes saturation of the task
queue more resource intensive and less practical.
* Auto-configure '-slabs' values.
* Change default for so-sndbuf to 1m, to mitigate a cross-layer
issue where the UDP socket send buffers are exhausted waiting
for ARP/NDP resolution.
* Adjusted so-sndbuf default to 4m.
* Add extra statistic to track the number of signature validation
operations. Adds 'num.valops' to extended statistics.
* [FR] Disable TLSv1.2.
* unbound-control cache_lookup prints the cached rrsets and
messages for those.
* unbound-control cache_lookup +t allows tld and root names. And
subnet cache contents are printed.
* [FR] zone status for Unbound auth-zones.
Bug Fixes:
* Fix assertion failure testcode/unitverify.c:202.
* Use macros for the fr_check_changed* functions.
* Fix for parallel build of dnstap protoc-c output.
* Fix dnstap to use protoc.
* Sync unbound and unbound-checkconf log output for unknown
modules.
* Fix forward-zone "name: ." conflicts with auth-zone "name: ."
in 1.23.0, but worked in 1.22.0.
* Fix unsafe usage of atoi() while parsing the configuration
file.
* Fix auth nsec3 code. Fixes NSEC3 code to not break on broken
auth zones that include unsigned out of zone (above apex) data.
Could lead to hang while trying to prove a wildcard answer.
* Fix NULL pointer deref in az_find_nsec_cover() (latent bug) by
adding a log_assert() to safeguard future development.
* Fix log-destaddr fail on long ipv6 addresses.
* Fix config of slab values when there is no config file.
* Fix for cname chain length with qtype ANY and qname
minimisation.
* RST man pages. It introduces restructuredText man pages to sync
the online and source code man page documentation. The
templated man pages (*.in) are still part of the repo but
generated with docutils from their .rst counterpart.
Documentation on how to generate those (mainly for core
developers) is in README.man.
* Add more checks about respip in unbound-checkconf. Also fixes
unbound-checkconf not reporting RPZ configuration error.
* [FR] Improve fuzzing of unbound by adapting the netbound
program.
* Small manpage corrections for the 'disable-dnssec-lame-check'
option.
* Fix unbound-anchor certificate file read for line ends and end
of file.
* Fix comment for the dname_remove_label_limit_len function.
* iana portlist updated.
* Fix bitwise operators in conditional expressions with
parentheses.
* Fix conditional expressions with parentheses for bitwise and.
* Fix header return value description for skip_pkt_rrs and
parse_edns_from_query_pkt.
* Fix to check control-interface addresses in unbound-checkconf.
* Fix Windows 32-bit binaries download seems to be missing dll
dependency.
* Fix for consistent use of local zone CNAME alias for configured
auth zones. Now it also applies to downstream configured auth
zones.
* Fix DNS over QUIC depends on a very outdated version of ngtcp2.
Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
* edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
* Fix rrset cache create allocation failure case.
* Fix EDE 6 is attached to insecure cached answers when client
sends the CD bit.
* Fix forward-first: ssl handshake failed on root nameservers.
* Turn off fetch-policy for delegation when looking into parent
side name servers that may not update the addresses and hit
NXNS limits.
* Replay test (added tcp_transport to outnet_serviced_query).
* Generate ltmain.sh and configure again.
* Fix is 'sock-queue-timeout' a linux only feature.
* Implement sock-queue-timeout for FreeBSD as well.
* Fix layout of comm_point_udp_ancil_callback.
* Fix to improve dnstap discovery on Fedora.
* Fix detection of SSL_CTX_set_tmp_ecdh function.
* Fix configure cant find SSL_is_quic in OpenSSL 3.5.1.
* Test num.valops in existing stat_values.tdir.
* Add num.valops in the unbound-control man page.
* Add unit tests for non-ecs aggregation.
* Fix to not set rlimits in the unit tests.
* iana portlist updated.
* Redis checks for server down and throttles reconnects.
* Fix redis cachedb module gettimeofday init failure.
* Fix testbound test program to accurately output packets from
hex.
* Fix incorrectly reclaimed tcp handler can cause data corruption
and segfault.
* Fix to use assertions for consistency checks in reclaimed tcp
handlers.
* Fix edns subnet, so that the subquery without subnet is stored
in global cache if the querier used 0.0.0.0/0 and the name and
address do not receive subnet treatment. If the name and
address are configured for subnet, it is stored in the subnet
cache.
* Fix dname_str for printout of long names.
* Fix that edns-subnet failure to create a subquery errors as
servfail, and not formerror.
* Fix to whitespace in dname_str.
* Fix that unbound-control dump_cache releases the cache locks
every so often, so that the server stays responsive.
* Fix to remove debug from cache_lookup.
* Fix to unlock cache_lookup message for malformed records.
* Fix to increase responsiveness of dump_cache.
* Fix to decouple file descriptor activity and cache lookups in
dump_cache.
* Fix cache_lookup subnet printout to wipe zero part of the
prefix.
* Fix cache_lookup subnet print to not print messages without
rrsets and perform in-depth check on node in the addrtree.
* Fix to check for extraneous command arguments for
unbound-control, when the command takes no arguments but there
are arguments present.
* Fix contrib/unbound.service comment path for systemd network
configuration.
* Fix compile warnings for DoH compile on windows.
* Fix sha1 enable environment variable in test code on windows.
* Fix that the zone acquired timestamp is set after the zonefile
is read.
* Fix unbound-control dump_cache for double unlock of lruhash
table.
* Fix setup_listen_sslctx warning for nettle compile.
* Limit the number of consecutive reads on an HTTP/2 session.
* Fix to free edns options scratch in ratelimit case.
* Fix outdated Python2 code in unbound/pythonmod/examples/log.py.
* Fix memory leak in 'msgparse.c' in
'parse_edns_options_from_query(...)'.
* Fix indentation in tcp-mss option parsing.
* Fix make depend.
* Update documentation for using "SET ... EX" in Redis.
* Document max buffer sizes for Redis commands.
* Update man pages.
* Fix CNAME chains are sometimes not followed when RPZs add a
local CNAME rewrite.
* Update contrib/aaaa-filter-iterator.patch so it applies on
1.24.0.
* Small debug output improvement when attaching an EDE.
* Fix to print warning for when so-sndbuf setsockopt is not
granted.
* Too many quotes for the EDE message debug printout.
* Mon Aug 11 2025 Marcus Rueckert <mrueckert@suse.de>
- simplify python handling. python2 support is dropped and python3
is built by default. Conditionals for the latter are removed.
* Mon Aug 11 2025 Marcus Rueckert <mrueckert@suse.de>
- enable EDNS subnet handling
* Sun Aug 10 2025 Marcus Rueckert <mrueckert@suse.de>
- Update to 1.23.1: (boo#1246625)
Bug Fixes:
* Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
AOSP Lab Nankai University.
- our package was not built with EDNS subnet support up to this
point and therefor was not affected.
* Sun Aug 10 2025 Marcus Rueckert <mrueckert@suse.de>
- prepare enabling quic support:
currently fails on missing quic support in openssl. aws-lc is
sadly not a drop in replacement for unbound.
- enable TCP Fast Open for the server and client
- remove unused --with-ldns option
- enable cachedb including hiredis support on Tumbleweed
new BuildRequires pkgconfig(libhiredis)
* Sun Jul 20 2025 Mia Herkt <mia@0x0.st>
- Remove leftover dependency on sudo (not required)
See also: boo#1215628
* Thu Apr 24 2025 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.23.0:
Features:
* Increase the default of max-global-quota to 200 from 128 after
operational feedback. Still keeping the possible amplification
factor (CAMP related issues) in the hundreds.
* Fix #1175: serve-expired does not adhere to secure-by-default
principle. The default value of serve-expired-client-timeout
is set to 1800 as suggested by RFC8767.
* For #1175, the default value of serve-expired-ttl is set to 86400
(1 day) as suggested by RFC8767.
* For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
* Add resolver.arpa and service.arpa to the default locally served
zones.
* Merge #1042: Fast Reload. The unbound-control fast_reload is added.
It reads changed config in a thread, then only briefly pauses the
service threads, that keep running. DNS service is only interrupted
briefly, less than a second.
* Merge #1019: Redis read-only replica support.
Introduces new 'redis-replica-*' options for the Redis cache backend.
* Merge #902: DNS Error Reporting (RFC 9567). Introduces new
configuration option 'dns-error-reporting' and new statistics for
'num.dns_error_reports'.
Bug Fixes:
* Fix #1154: Tag Incorrectly Applying for Other Interfaces
Using the Same IP. This fix is not for 1.22.0.
* Fix #1163: Typos in unbound.conf documentation.
* Merge #1159: Stats for discard-timeout and wait-limit.
* Add test case for #1159.
* Some clean up for stat_values.test.
* Merge #1170 from Melroy van den Berg, Fix chroot manpage
description.
* Merge #1157 from Liang Zhu, Fix heap corruption when calling
ub_ctx_delete in Windows.
* Fix redis that during a reload it does not fail if the redis
server does not connect or does not respond. It still logs the
errors and if the server is up checks expiration features.
* Merge #1167: Makefile.in: fix occasional parallel build failures
around bison rule.
* Fix SETEX check during Redis (re)initialization.
* Fix for the serve expired DNSSEC information fix, it would not allow
current delegation information be updated in cache. The fix allows
current delegation and validation recursion information to be
updated, but as a consequence no longer has certain expired
information around for later dnssec valid expired responses.
* Fix to log redis timeout error string on failure.
* More descriptive text for 'harden-algo-downgrade'.
* Complete fix for max-global-quota to 200.
* Fix #1183: the data being used is released in method
nsec3_hash_test_entry.
* Fix for #1183: release nsec3 hashes per test file.
* Merge #1169 from Sergey Kacheev, fix: lock-free counters for
auth_zone up/down queries.
* Fix comparison to help static analyzer.
* For #1175, update serve-expired tests.
* Merge #1189: Fix the dname_str method to cause conversion errors
when the domain name length is 255.
* Merge #1197: dname_str() fixes.
* Merge #1198: Fix log-servfail with serve expired and no useful cache
contents.
* Safeguard alias loop while looking in the cache for expired answers.
* Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
drop.
* Fix typo in log_servfail.tdir test.
* Merge #1204: ci: set persist-credentials: false for actions/checkout
per zizmor suggestion.
* Merge #1174: Serve expired cache update fixes. Fixes a regression bug
with serve-expired that appeared in 1.22.0 and would not allow the
iterator to update the cache with not-yet-validated entries resulting
in increased outgoing traffic.
* Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
handshake.
* Fix #1213: Misleading error message on default access control causing
refuse.
* Merge #1221: Consider auth zones when checking for forwarders.
* Merge #1222: Unique DoT and DoH SSL contexts to allow for different
ALPN.
* Create the quic SSL listening context only when needed.
* Fix compile of interface check code when dnscrypt or quic is
disabled.
* Fix encoding of RR type ATMA.
* Fix to check length in ATMA string to wire.
* Merge #1229: check before use daemon->shm_info.
* Use the same interface listening port discovery code for all needed
protocols.
* Port to string only when needed before getaddrinfo().
* Do not open unencrypted channels next to encrypted ones on the same
port.
* Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
set.
* Merge #1220 from Petr Menšík, Add unbound members group access to
control key.
* Make the default value of module-config "validator iterator"
regardless of compilation options. --enable-subnet would implicitly
change the value to enable the subnetcache module by default in the
past.
* Fix #986: Resolving sas.com with dnssec-validation fails though
signed delegations seem to be (mostly) correct.
Consider reconfigurations when calculating the still_useful_timeout
for servers in the infrastructure cache.
* Fix static analysis report about unhandled EOF on error conditions
when reading anchor key files.
* Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
values.
* Fix hash calculation for cachedb to ignore case. Previously, cached
records there were only relevant for same case queries (if not
already in Unbound's internal cache).
* Merge #1243: Do not shadow tm on line 236.
* Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
Add --help output description for the SOURCE_DATE_EPOCH variable.
* Fix 'unbound-control flush_negative' when reporting removed data;
reported by David 'eqvinox' Lamparter.
* Fix representation of types GPOS and RESINFO, add rdf type for
unquoted str.
* Fix #1251: WSAPoll first argument cannot be NULL.
* Fix for windows compile create ssl contexts.
* Fix print of RR type NSAP-PTR, it is an unquoted string.
* Fix #1253: Cache entries fail to be removed from Redis cachedb
backend with unbound-control flush* +c.
* Fix for #1253: Fix for redis cachedb backend to expect an integer
reply for the EXPIRE command.
* Fix #1254: send failed: Socket is not connected and
remote address is 0.0.0.0 port 53.
* Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
* For #1255, for ios use an older expat version that does not require
C++11 language features.
* For #1255, for ios disable building tests that require C++11.
* For #1255, for ios try the latest expat version again.
* Fix unit test dname log printout typecast.
* Fix for ci test, expat is installed on the osx image.
* iana portlist update.
* Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
* Fix escape more characters when printing an RR type with an unquoted
string.
* Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
* Fix unbound-control test so it counts the new flush_negative output,
also answers the _ta probe from testns and prints command output
and skip a thread specific test when no threads are available.
* Fix that ub_event has the facility to deal with callbacks for
fast reload, doq, windows-stop and dnstap.
* Fix fast reload test to check if pid exists before acting on it.
* Merge #1262 from markyang92, fix build with
'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
* For #1262, ifdef is no longer needed.
* Fix #1263: Exempt loopback addresses from wait-limit.
* Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
to allow two arguments.
* Fix ub_event and include dnstap and win_svc headers.
* Fix test for stat_values for wait limit defaults for localhost.
* Fix parameter unused warning in net_help.c.
* Fix mesh_copy_client_info to omit null contents from copy.
* Fix comment name in the rpz nsdname test.
* Fix nettle compile for warnings and ticket keys.
* Fix redis_replica test for unused option defaults and log printout.
* Fix test to speed up common.sh script kill_pid.
* Fix to update common.sh for speed of kill_pid.
* Update to the manpage for the fast_reload part.
* Fix fast_reload to print chroot with config file name.
* Fix to detect if atomic_store links in configure.
* Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
* Fix for print of connection type in log-replies for dot and doh.
* Merge #1265: Fix WSAPoll.
* Wed Nov 27 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- add workaround for bug
https://github.com/NLnetLabs/unbound/issues/509
Starting up with 127.0.0.1 in the /etc/resolv.conf leads to long
delays if the anchor update is being run as ExecStartPre in the
unbound service
* Fri Oct 18 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.22.0:
Features:
* Add iter-scrub-ns, iter-scrub-cname and max-global-quota
configuration options.
* Merge patch to fix for glue that is outside of zone, with
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
Enabling this option protects the Unbound resolver against bad
glue, that is unverified out of zone glue, by resolving them.
It uses the records as last resort if there is no other working
glue.
* Add redis-command-timeout: 20 and redis-connect-timeout: 200,
that can set the timeout separately for commands and the
connection set up to the redis server. If they are not
specified, the redis-timeout value is used.
* Log timestamps in ISO8601 format with timezone. This adds the
option `log-time-iso: yes` that logs in ISO8601 format.
* DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
that enable dnsoverquic, and the counters `num.query.quic` and
`mem.quic` in the statistics output. The feature needs to be
enabled by compiling with libngtcp2, with
`--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
that with `--with-ssl=path` to compile unbound as well.
Bug Fixes:
* unbound-control-setup hangs while testing for openssl presence
starting from version 1.21.0.
* Fix error: "memory exhausted" when defining more than 9994
local-zones.
* Fix documentation for cache_fill_missing function.
* Fix Loads of logs: "validation failure: key for validation
<domain>. is marked as invalid because of a previous" for
non-DNSSEC signed zone.
* Fix that when rpz is applied the message does not get picked up
by the validator. That stops validation failures for the
message.
* Fix that stub-zone and forward-zone clauses do not exhaust
memory for long content.
* Fix to print port number in logs for auth zone transfer
activities.
* b.root renumbering.
* Add new IANA trust anchor.
* Fix config file read for dnstap-sample-rate.
* Fix alloc-size and calloc-transposed-args compiler warnings.
* Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
(RFC9077).
* Fix dns64 with prefetch that the prefetch is stored in cache.
* Attempt to further fix doh_downstream_buffer_size.tdir
flakiness.
* More clear text for prefetch and minimal-responses in the
unbound.conf man page.
* Fix cache update when serve expired is used. Expired records
are favored over resolution and validation failures when
serve-expired is used.
* Fix negative cache NSEC3 parameter compares for zero length
NSEC3 salt.
* Fix unbound-control-setup hangs sometimes depending on the
openssl version.
* Fix Cannot override tcp-upstream and tls-upstream with
forward-tcp-upstream and forward-tls-upstream.
* Fix to limit NSEC TTL for messages from cachedb. Fix to limit
the prefetch ttl for messages after a CNAME with short TTL.
* Fix to disable detection of quic configured ports when quic is
not compiled in.
* Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
* Fix contrib/aaaa-filter-iterator.patch for change in call
signature for cache_fill_missing.
* Fix to display warning if quic-port is set but dnsoverquic is
not enabled when compiled.
* Fix dnsoverquic to extend the number of streams when one is
closed.
* Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
* Fix for dnsoverquic and dnstap to use the correct dnstap
environment.
- Update keyring
* Mon Oct 07 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.21.1:
Security Fixes:
* Fix CVE-2024-8508, unbounded name compression could lead to
denial of service.
[CVE-2024-8508, bsc#1231284]
- Update keyring
* Thu Aug 15 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.21.0:
Security Fixes:
* Merge #1073: fix null pointer dereference issue in function
ub_ctx_set_fwd.
[CVE-2024-43167, bsc#1229068]
Features:
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
with `unbound-control flush*` commands.
* Fix #144: Port ipset to BSD pf tables.
* Add dnstap-sample-rate that logs only 1/N messages, for high
volume server environments. Thanks Dan Luther.
* Add root key 38696 from 2024 for DNSSEC validation. It is added
to the default root keys in unbound-anchor. The content can be
inspected with `unbound-anchor -l`.
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
"unbound_cookiesecrets.txt"` option to store cookie secrets for
EDNS COOKIE secret rollover. The remote control
add_cookie_secret, activate_cookie_secret and
drop_cookie_secret commands can be used for rollover, the
command print_cookie_secrets shows the values in use.
Bug Fixes:
* Fix CAMP issues with global quota. Thanks to Huayi
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
group, ETH Zurich.
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
(Tel-Aviv University and Reichman University).
* Merge #1062: Fix potential overflow bug while parsing port in
function cfg_mark_ports.
* Fix for #1062: declaration before statement, avoid print of
null, and redundant check for array size.
* Fix to squelch udp connect errors in the log at low verbosity
about invalid argument for IPv6 link local addresses.
* Fix when the mesh jostle is exceeded that nameserver targets
are marked as resolved, so that the lookup is not stuck on the
requestlist.
* Add missing common functions to tdir tests.
* Merge #1070: Fix rtt assignement for low values of
infra-cache-max-rtt.
* Merge #1069: Fix unbound-control stdin commands for
multi-process Unbounds.
* Fix unbound-control commands that read stdin in multi-process
operation (local_zones_remove, local_zones, local_datas_remove,
local_datas, view_local_datas_remove, view_local_datas). They
will be properly distributed to all processes. dump_cache and
load_cache are no longer supported in multi-process operation.
* Remove testdata/remote-threaded.tdir.
testdata/09-unbound-control.tdir now checks both single and
multi process/thread operation.
* Fix to print a parse error when config is read with no name for
a forward-zone, stub-zone or view.
* Fix for parse end of forward-zone, stub-zone and view.
* Fix for #1064: Fix that cachedb expired messages are considered
insecure, and thus can be served to clients when dnssec is
enabled.
* Fix #1059: Intermittent DNS blocking failure with local-zone
and always_nxdomain. Addition of local_zones dynamically via
unbound-control was not finding the zone's parent correctly.
* Fix #1064: Unbound 1.20 Cachedb broken?
* Fix unused variable warning on compilation with no thread
support.
* unbound-control-setup: check openssl availability before doing
anything, patch from Michael Tokarev.
* Update patch to remove 'command' shell builtin and update error
text.
* Fix to enable that SERVFAIL is cached, for a short period, for
more cases. In the cases where limits are exceeded.
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
* Merge #1078: Only check old pid if no username.
* Fix #1079: tags from tagged rpz zones are no longer honored
after upgrade from 1.19.3 to 1.20.0.
* Fix for #1079: fix RPZ taglist in iterator callback that no
client info is like no taglist intersection.
* Fix to squelch connection reset by peer errors from log. And
fix that the tcp read errors are labeled as initial for the
first calls.
* Merge #1080: AddressSanitizer detection in tdir tests and
memory leak fixes.
* Fix memory leak when reload_keep_cache is used and num-threads
changes.
* Fix memory leak on exit for unbound-dnstap-socket; creates
false negatives during testing.
* Fix memory leak in setup of dsa sig.
* Fix typos for 'the the' in text.
* Fix validation for repeated use of a DNAME record.
* Add unit test for validation of repeated use of a DNAME record.
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
OPENSSL_NO_DEPRECATED.
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
by adding helpful text for the Python interpreter version and
allowing the default pkg-config unavailability error message to
be shown.
* Fix pkg-config availability check in dnstap/dnstap.m4 and
systemd.m4.
* Explicitly set the RD bit for the mesh query flags when
prefetching. These queries have no waiting client but they need
to be treated as recursive.
* Fix ip-ratelimit-cookie setting, it was not applied.
* Fix to remove unused include from the readzone test program.
* Fix unused variable warning in do_cache_remove.
* Fix compile warning in worker pthread id printout.
* Add unit test skip files and bison and flex output to
gitignore.
* Fix to use modstack_init in zonemd unit test.
* Fix to remove unneeded linebreak in fptr_wlist.c.
* Fix compile warnings in fptr_wlist.c.
* Fix for repeated use of a DNAME record: first overallocate and
then move the exact size of the init value to avoid false
positive heap overflow reads from address sanitizers.
* Fix to print details about the failure to lookup a DNSKEY
record when validation fails due to the missing DNSKEY. Also
for key prime and DS lookups.
* Fix for neater printout for error for missing DS response.
* Fix neater printout.
* Fix #1099: Unbound core dump on SIGSEGV.
* Fix for #1099: Fix to check for deleted RRset when the contents
is updated and fetched after it is stored, and also check for a
changed RRset.
* Don't check for message TTL changes if the RRsets remain the
same.
* Fix that validation reason failure that uses string print uses
separate buffer that is passed, from the scratch validation
buffer.
* Fixup algo_needs_reason string buffer length.
* Fix shadowed error string variable in validator dnskey
handling.
* Update list of known EDE codes.
* For #773: In contrib/unbound.service.in set unbound to start
after network-online.target. Also for
contrib/unbound_portable.service.in.
* Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
* For #1103: fix to also drop mesh state reference when a h2
reply is dropped.
* Add RPZ tag tests in acl_interface.tdir.
* For #1102: clearer text for using interface-* options for the
loopback interface.
* For #1103: fix to also drop mesh state reference when the
discard limit is reached, when there is an error making a new
recursion state and when the connection is dropped with
is_drop.
* For #1103: Fix to drop mesh state reference for the http2
stream associated with the reply, not the currently active
stream. And it does not remove it twice on a mesh_send_reply
call. The reply h2_stream is NULL when not in use, for more
initialisation.
* Fix dnstap wakeup, a running wakeup timer is left to expire and
not increased, a timer is started when the dtio thread is
sleeping, the timer set disabled when the dtio thread goes to
sleep, and after sleep the thread checks to see if there are
messages to log immediately.
* Merge #1110: Make fallthrough explicit for libworker.c.
* For #1110: Test for fallthrough attribute in configure and add
fallthrough attribute annotations.
* Fix compile when the compiler does not support the noreturn
attribute.
* Fix to have empty definition when not supported for weak
attribute.
* Fix uninitialized variable warning in create_tcp_accept_sock.
* Fix link of dnstap without openssl.
* Fix link of unbound-dnstap-socket without openssl.
* Fix #1106: ratelimit-below-domain logs the wrong FROM address.
* Cleanup ede.tdir test.
* For #935 and #1104, clarify RPZ order and semantics.
* Fix to document parameters of auth_zone_verify_zonemd_with_key.
* Fix for #1114: Fix that cache fill for forward-host names is
performed, so that with nonzero target-fetch-policy it fetches
forwarder addresses and uses them from cache. Also updated that
delegation point cache fill routines use CDflag for AAAA
message lookups, so that its negative lookup stops a recursion
since the cache uses the bit for disambiguation for dns64 but
the recursion uses CDflag for the AAAA target lookups, so the
check correctly stops a useless recursion by its cache lookup.
* Fix dnstap test program, cleans up to have clean memory on
exit, for tap_data_free, does not delete NULL items. Also it
does not try to free the tail, specifically in the free of the
list since that picked up the next item in the list for its
loop causing invalid free. Added internal unit test to
unbound-dnstap-socket for that.
* Fix that the worker mem report with alloc stats does not
attempt to print memory use of forwards and hints if they have
been deleted already.
* Fix that alloc stats has strdup checks, it stops debuggers from
complaining about mismatch at free time.
* Fix testbound for alloc stats strdup in util/alloc.c.
* Fix that alloc stats for forwards and hints are printed, and
when alloc stats is enabled, the unit test for unbound control
waits for reloads to complete.
* Fix that for windows the module startup is called and sets up
the module-config.
* Fix spelling for the cache-min-negative-ttl entry in the
example.conf.
* Wed May 08 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.20.0:
Features:
* The config for discard-timeout, wait-limit, wait-limit-cookie,
wait-limit-netblock and wait-limit-cookie-netblock was added,
for the fix to the DNSBomb issue.
* Merge GH#1027: Introduce 'cache-min-negative-ttl' option.
* Merge GH#1043 from xiaoxiaoafeifei: Add loongarch support;
updates config.guess(2024-01-01) and config.sub(2024-01-01),
verified with upstream.
* Implement cachedb-check-when-serve-expired: yes option, default
is enabled. When serve expired is enabled with cachedb, it
first checks cachedb before serving the expired response.
* Fix GH#876: [FR] can unbound-checkconf be silenced when
configuration is valid?
Bug Fixes:
* Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
Xiang Li from the Network and Information Security Lab of
Tsinghua University for reporting it.
* Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
deprecation warnings and updates with newer defaults.
* Remove unused portion from iter_dname_ttl unit test.
* Fix validator classification of qtype DNAME for positive and
redirection answers, and fix validator signature routine for
dealing with the synthesized CNAME for a DNAME without
previously encountering it and also for when the qtype is
DNAME.
* Fix qname minimisation for reply with a DNAME for qtype CNAME
that answers it.
* Fix doc test so it ignores but outputs unsupported doxygen
options.
* Fix GH#1021 Inconsistent Behavior with Changing
rpz-cname-override and doing a unbound-control reload.
* Merge GH#1028: Clearer documentation for tcp-idle-timeout and
edns-tcp-keepalive-timeout.
* Fix GH#1029: rpz trigger clientip and action rpz-passthru not
working as expected.
* Fix rpz that the rpz override is taken in case of clientip
triggers. Fix that the clientip passthru action is logged. Fix
that the clientip localdata action is logged. Fix rpz override
action cname for the clientip trigger.
* Fix to unify codepath for local alias for rpz cname action
override.
* Fix rpz for cname override action after nsdname and nsip
triggers.
* Fix that addrinfo is not kept around but copied and freed, so
that log-destaddr uses a copy of the information, much like NSD
does.
* Merge GH#1030: Persist the openssl and expat directories for
repeated Windows builds.
* Fix that rpz CNAME content is limited to the max number of
cnames.
* Fix rpz, it follows iterator CNAMEs for nsip and nsdname and
sets the reply query_info values, that is better for debug
logging.
* Fix rpz that copies the cname override completely to the temp
region, so there are no references to the rpz region.
* Add rpz unit test for nsip action override.
* Fix rpz for qtype CNAME after nameserver trigger.
* Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix
that clientip and nsip can give a CNAME.
* Fix localdata and rpz localdata to match CNAME only if no
direct type match is available.
* Merge GH#831 from Pierre4012: Improve Windows NSIS installer
script (setup.nsi).
* For GH#831: Format text, use exclamation icon and explicit label
names.
* Fix name of unit test for subnet cache response.
* Fix GH#1032: The size of subnet_msg_cache calculation mistake
cause memory usage increased beyond expectations.
* Fix for GH#1032, add safeguard to make table space positive.
* Fix comment in lruhash space function.
* Fix to add unit test for lruhash space that exercises the
routines.
* Fix that when the server truncates the pidfile, it does not
follow symbolic links.
* Fix that the server does not chown the pidfile.
* Fix GH#1034: DoT forward-zone via unbound-control.
* Fix for crypto related failures to have a better error string.
* Fix GH#1035: Potential Bug while parsing port from the
"stub-host" string; also affected forward-zones and
remote-control host directives.
* Fix GH#369: dnstap showing extra responses; for client responses
right from the cache when replying with expired data or
prefetching.
* Fix GH#1040: fix heap-buffer-overflow issue in function
cfg_mark_ports of file util/config_file.c.
* For GH#1040: adjust error text and disallow negative ports in
other parts of cfg_mark_ports.
* Fix comment syntax for view function views_find_view.
* Fix GH#595: unbound-anchor cannot deal with full disk; it will
now first write out to a temp file before replacing the
original one, like Unbound already does for
auto-trust-anchor-file.
* Fixup compile without cachedb.
* Add test for cachedb serve expired.
* Extended test for cachedb serve expired.
* Fix makefile dependencies for fake_event.c.
* Fix cachedb for serve-expired with serve-expired-reply-ttl.
* Fix to not reply serve expired unless enabled for cachedb.
* Fix cachedb for serve-expired with
serve-expired-client-timeout.
* Fixup unit test for cachedb server expired client timeout with
a check if response if from upstream or from cachedb.
* Fixup cachedb to not refetch when serve-expired-client-timeout
is used.
* Merge GH#1049 from Petr Menšík: Py_NoSiteFlag is not needed since
Python 3.8
* Fix GH#1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
* Fix configure, autoconf for GH#1048.
* Add checklock feature verbose_locking to trace locks and
unlocks.
* Fix edns subnet to sort rrset references when storing messages
in the cache. This fixes a race condition in the rrset locks.
* Merge GH#1053: Remove child delegations from cache when
grandchild delegations are returned from parent.
* Fix ci workflow for macos for moved install locations.
* Fix configure flto check error, by finding grep for it.
* Merge GH#1041: Stub and Forward unshare. This has one structure
for them and fixes GH#1038: fatal error: Could not initialize
thread / error: reading root hints.
* Fix to disable fragmentation on systems with IP_DONTFRAG, with
a nonzero value for the socket option argument.
* Fix doc unit test for out of directory build.
* Fix cachedb with serve-expired-client-timeout disabled. The
edns subnet module deletes global cache and cachedb cache when
it stores a result, and serve-expired is enabled, so that the
global reply, that is older than the ecs reply, does not return
after the ecs reply expires.
* Add unit tests for cachedb and subnet cache expired data.
* Man page entry for unbound-checkconf -q.
* Cleanup unnecessary strdup calls for EDE strings.
* Fix doxygen comment for errinf_to_str_bogus.
* Wed Mar 20 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.19.3:
* Features:
- Merge PR #973: Use the origin (DNAME) TTL for synthesized
CNAMEs as per RFC 6672.
* Bug Fixes
- Fix unit test parse of origin syntax.
- Use 127.0.0.1 explicitly in tests to avoid delays and errors
on newer systems.
- Fix #964: config.h.in~ backup file in release tar balls.
- Merge #968: Replace the obsolescent fgrep with grep -F in
tests.
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
- Fix dnstap that assertion failed on logging other than UDP
and TCP traffic. It lists it as TCP traffic.
- Fix to sync the tests script file common.sh.
- iana portlist update.
- Updated IPv4 and IPv6 address for b.root-servers.net in root
hints.
- Update test script file common.sh.
- Fix tests to use new common.sh functions, wait_logfile and
kill_from_pidfile.
- Fix #974: doc: default number of outgoing ports without
libevent.
- Merge #975: Fixed some syntax errors in rpl files.
- Fix root_zonemd unit test, it checks that the root ZONEMD
verifies, now that the root has a valid ZONEMD.
- Update example.conf with cookie options.
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve
errors for non-HTTP/2 DoH clients.
- Merge #985: Add DoH and DoT to dnstap message.
- Fix #983: Sha1 runtime insecure change was incomplete.
- Remove unneeded newlines and improve indentation in remote
control code.
- Merge #987: skip edns frag retry if advertised udp payload
size is not smaller.
- Fix unit test for #987 change in udp1xxx retry packet send.
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large
records.
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
- Fix to link with libssp for libcrypto and getaddrinfo check
for only header. Also update crosscompile to remove ssp for
32bit.
- Merge #993: Update b.root-servers.net also in example config
file.
- Update workflow for ports to use newer openssl on windows
compile.
- Fix warning for windres on resource files due to
redefinition.
- Fix for #997: Print details for SSL certificate failure.
- Update error printout for duplicate trust anchors to include
the trust anchor name (relates to #920).
- Update message TTL when using cached RRSETs. It could result
in non-expired messages with expired RRSETs (non-usable
messages by Unbound).
- Merge #999: Search for protobuf-c with pkg-config.
- Fix #1006: Can't find protobuf-c package since #999.
- Fix documentation for access-control in the unbound.conf man
page.
- Merge #1010: Mention REFUSED has the TC bit set with
unmatched allow_cookie acl in the manpage. It also fixes the
code to match the documentation about clients with a valid
cookie that bypass the ratelimit regardless of the
allow_cookie acl.
- Document the suspend argument for process_ds_response().
- Move github workflows to use checkoutv4.
- Fix edns subnet replies for scope zero answers to not get
stored in the global cache, and in cachedb, when the upstream
replies without an EDNS record.
- Fix for #1022: Fix ede prohibited in access control refused
answers.
- Fix unbound-control-setup.cmd to use 3072 bits so that
certificates are long enough for newer OpenSSL versions.
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
like unbound-control-setup.sh has.
* Fri Mar 08 2024 Jorik Cronenberg <jorik.cronenberg@suse.com>
- Update to 1.19.2:
* Bug Fixes:
- Fix CVE-2024-1931, Denial of service when trimming EDE text
on positive replies.
[bsc#1221164]
* Wed Feb 28 2024 Pedro Monreal <pmonreal@suse.com>
- Update to 1.19.1:
* Bug Fixes: [bsc#1219823, CVE-2023-50387][bsc#1219826, CVE-2023-50868]
- Fix CVE-2023-50387, DNSSEC verification complexity can be
exploited to exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
* Tue Feb 06 2024 Stefan Seyfried <seife+obs@b1-systems.com>
- as we use --disable-explicit-port-randomisation, also disable
outgoing-port-permit and outgoing-port-avoid in config file to
suppress the related unbound-checkconf warnings on every start
* Tue Jan 23 2024 Jakob Lorenz <onlyjak0b@mailbox.org>
- Use prefixes instead of sudo in unbound.service (boo#1215628)
* Fri Nov 17 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 1.19.0:
* Features:
- Fix #850: [FR] Ability to use specific database in Redis, with
new redis-logical-db configuration option.
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream
requests. This can be helpful for devices that cannot handle
DNSSEC information. But it should not be enabled otherwise, because
that would stop DNSSEC validation. The DNSSEC validation would not
work for Unbound itself, and also not for downstream users. Default
is no. The option is disable-edns-do: no
- Expose the script filename in the Python module environment 'mod_env'
instead of the config_file structure which includes the linked list
of scripts in a multi Python module setup; fixes #79.
- Expose the configured listening and outgoing interfaces, if any, as
a list of strings in the Python 'config_file' class instead of the
current Swig object proxy; fixes #79.
- Mailing list patches from Daniel Gröber for DNS64 fallback to plain
AAAA when no A record exists for synthesis, and minor DNS64 code
refactoring for better readability.
- Merge #951: Cachedb no store. The cachedb-no-store: yes option is
used to stop cachedb from writing messages to the backend storage.
It reads messages when data is available from the backend.
The default is no.
* Bug Fixes:
- Fix for version generation race condition that ignored changes.
- Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.
- Fix for WKS call to getservbyname that creates allocation on exit in
unit test by testing numbers first and testing from the services list later.
- Fix autoconf 2.69 warnings in configure.
- Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
- Merge #931: Prevent warnings from -Wmissing-prototypes.
- Fix to scrub resource records of type A and AAAA that have an
inappropriate size. They are removed from responses.
- Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
- Fix to add EDE text when RRs have been removed due to length.
- Fix to set ede match in unit test for rr length removal.
- Fix to print EDE text in readable form in output logs.
- Fix send of udp retries when ENOBUFS is returned. It stops looping
and also waits for the condition to go away. Reported by Florian Obser.
- Fix authority zone answers for obscured DNAMEs and delegations.
- Merge #936: Check for c99 with autoconf versions prior to 2.70.
- Fix to remove two c99 notations.
- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
- Fix misplaced comment.
- Merge #881: Generalise the proxy protocol code.
- Fix #946: Forwarder returns servfail on upstream response noerror no data.
- Fix edns subnet so that queries with a source prefix of zero cause the
recursor send no edns subnet option to the upstream.
- Fix that printout of EDNS options shows the EDNS cookie option by name.
- Fix infinite loop when reading multiple lines of input on a broken remote
control socket. Addesses #947 and #948.
- Fix #949: "could not create control compt".
- Fix that cachedb does not warn when serve-expired is disabled about use
of serve-expired-reply-ttl and serve-expired-client-timeout.
- Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
- Better fix for infinite loop when reading multiple lines of input on a
broken remote control socket, by treating a zero byte line the same as
transmission end. Addesses #947 and #948.
- For multi Python module setups, clean previously parsed module functions
in __main__'s dictionary, if any, so that only current module functions
are registered.
- Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.
- Fixes for the DNS64 patches.
- Update the dns64_lookup.rpl test for the DNS64 fallback patch.
- Merge #955 from buevsan: fix ipset wrong behavior.
- Update testdata/ipset.tdir test for ipset fix.
- Fix to print detailed errors when an SSL IO routine fails via SSL_get_error.
- Clearer configure text for missing protobuf-c development libraries.
- autoconf.
- Merge #930 from Stuart Henderson: add void to log_ident_revert_to_default
declaration.
- Fix #941: dnscrypt doesn't work after upgrade to 1.18 with suggestion by
dukeartem to also fix the udp_ancil with dnscrypt.
- Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
- Fix SSL compile failure for other missing definitions in log_crypto_err_io_code_arg.
- Fix compilation without openssl, remove unused function warning.
- Mention flex and bison in README.md when building from repository source.
* Thu Sep 07 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 1.18.0:
* Features:
- Аdd a metric about the maximum number of collisions in lrushah.
- Set max-udp-size default to 1232. This is the same default value
as the default value for edns-buffer-size. It restricts client
edns buffer size choices, and makes unbound behave similar to
other DNS resolvers.
- Add harden-unknown-additional option. It removes unknown records
from the authority section and additional section.
- Added new static zone type block_a to suppress all A queries for
specific zones.
- [FR] Ability to use Redis unix sockets.
- [FR] Ability to set the Redis password.
- Features/dropqueuedpackets, with sock-queue-timeout option that
drops packets that have been in the socket queue for too long.
Added statistics num.queries_timed_out and query.queue_time_us.max
that track the socket queue timeouts.
- 'eqvinox' Lamparter: NAT64 support.
- [FR] Use kernel timestamps for dnstap.
- Add cachedb hit stat. Introduces 'num.query.cachedb' as a new
statistical counter.
- Add SVCB dohpath support.
- Add validation EDEs to queries where the CD bit is set.
- Add prefetch support for subnet cache entries.
- Add EDE (RFC8914) caching.
- Add support for EDE caching in cachedb and subnetcache.
- Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server
cookies for clients that send client cookies. This needs to be explicitly
turned on in the config file with: `answer-cookie: yes`.
* Bug Fixes
- Response change to NODATA for some ANY queries since 1.12.
- Fix not following cleared RD flags potentially enables
amplification DDoS attacks.
- Set default for harden-unknown-additional to no. So that it
does not hamper future protocol developments.
- Fix to ignore entirely empty responses, and try at another authority.
This turns completely empty responses, a type of noerror/nodata into
a servfail, but they do not conform to RFC2308, and the retry can fetch
improved content.
- Allow TTL refresh of expired error responses.
- Fix: Unexpected behavior with client-subnet-always-forward and serve-expired
- Fix unbound-dnstap-socket test program to reply the finish frame over
a TLS connection correctly.
- Fix: reserved identifier violation
- Fix: Unencrypted query is sent when forward-tls-upstream: yes is used
without tls-cert-bundle
- Extra consistency check to make sure that when TLS is requested,
either we set up a TLS connection or we return an error.
- Fix: NXDOMAIN instead of NOERROR rcode when asked for existing CNAME record.
- Fix: Bad interaction with 0 TTL records and serve-expired
- Fix RPZ IP responses with trigger rpz-drop on cache entries.
- Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
- Fix dereference of NULL variable warning in mesh_do_callback.
- Fix ip_ratelimit test to work with dig that enables DNS cookies.
- Fix for iter_dec_attempts that could cause a hang, part of capsforid
and qname minimisation, depending on the settings.
- Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
- Fix stat_values test to work with dig that enables DNS cookies.
- unbound.service: Main process exited, code=killed, status=11/SEGV.
Fixes cachedb configuration handling.
- Fix: processQueryResponse() THROWAWAY should be mindful of fail_reply.
* Thu Aug 24 2023 Marcus Rueckert <mrueckert@suse.de>
- openSUSE:Factory libunbound-devel-mini flavor is configured to
sync build counter with unbound package. This means it always
triggers a bootstrap no matter which of the packages got
initially triggered.
I am not sure if this is needed at all, if yes, please accept
this request and forward with an explenation.
If not, just decline it and we will remove the build counter
syncing in factory as well.
This adds the !BcntSyncTag: unbound to the mini spec file
Details:
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/6GUU6JUQE72WCWEZCSLQYJLVVTNHBVTE/
* Thu May 04 2023 Frederic Crozat <fcrozat@suse.com>
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
* Thu Feb 23 2023 Pedro Monreal <pmonreal@suse.com>
- Update to 1.17.1:
* Features:
- Expose 'statistics-inhibit-zero' as a configuration option;
the default value retains Unbound's behavior.
- Expose 'max-sent-count' as a configuration option; the default
value retains Unbound's behavior.
- Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
- Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
* Bug Fixes:
- Merge #768 from fobser: Arithmetic on a pointer to void is a
GNU extension.
- In unit test, print python script name list correctly.
- testcode/dohclient sets log identity to its name.
- Clarify the use of MAX_SENT_COUNT in the iterator code.
- Fix that cachedb does not store failures in the external cache.
- Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
- Fix to ignore tcp events for closed comm points.
- Fix to make sure to not read again after a tcp comm point is
closed.
- Fix #775: libunbound: subprocess reap causes parent process
reap to hang.
- iana portlist update.
- Complementary fix for distutils.sysconfig deprecation in
Python 3.10 to commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
- Fix #779: [doc] Missing documention in ub_resolve_event() for
callback parameter was_ratelimited.
- Ignore expired error responses.
- Merge #720 from jonathangray: fix use after free when
WSACreateEvent() fails.
- Fix for the ignore of tcp events for closed comm points,
preserve the use after free protection features.
- Fix #782: Segmentation fault in stats.c:404.
- Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
- Clear documentation for interactivity between the subnet module
and the serve-expired and prefetch configuration options.
- Fix #773: When used with systemd-networkd, unbound does not start
until systemd-networkd-wait-online.service times out.
- Merge #808: Wrap Makefile script's directory variables in quotes.
- Fix to wrap Makefile scripts directory in quotes for uninstall.
- Fix windows compile for libunbound subprocess reap comm point closes.
- Update github workflows to use checkout v3.
- Fix wildcard in hyperlocal zone service degradation, reported
by Sergey Kacheev.
* Add signature and keyring files
* Thu Dec 29 2022 Wolfgang Frisch <wolfgang.frisch@suse.com>
- Tighten permissions (boo#1173619)
- Add missing dependency: unbound-control-setup needs /usr/bin/openssl.
* Thu Oct 13 2022 Michael Ströder <michael@stroeder.com>
- update to 1.17.0
* Features
- Merge #753: ACL per interface. (New interface-* configuration
options).
- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
configuration option).
* Bug Fixes
- Fix #728: alloc_reg_obtain() core dump. Stop double
alloc_reg_release when serviced_create fails.
- Fix edns subnet so that scope 0 answers only match sourcemask 0
queries for answers from cache if from a query with sourcemask 0.
- Fix unittest for edns subnet change.
- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
to unsupported IPV6_USER_MTU socket option being set.
- Fix ratelimit inconsistency, for ip-ratelimits the value is the
amount allowed, like for ratelimits.
- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
errors.
- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
per 10 seconds. Also log accept failures when no slow down is used.
- Fix to avoid process wide fcntl calls mixed with nonblocking
operations after a blocked write.
- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
operations, so that instruction reordering does not cause mistakenly
blocking socket operations.
- Fix to wait for blocked write on UDP sockets, with a timeout if it
takes too long the packet is dropped.
- Fix for wait for udp send to stop when packet is successfully sent.
- Fix #741: systemd socket activation fails on IPv6.
- Fix to update config tests to fix checking if nonblocking sockets
work on OpenBSD.
- Slow down log frequency of write wait failures.
- Fix to set out of file descriptor warning to operational verbosity.
- Fix to log a verbose message at operational notice level if a
thread is not responding, to stats requests. It is logged with
thread identifiers.
- Remove include that was there for debug purposes.
- Fix to check pthread_t size after pthread has been detected.
- Convert tdir tests to use the new skip_test functionality.
- Remove unused testcode/mini_tpkg.sh file.
- Better output for skipped tdir tests.
- Fix doxygen warning in respip.h.
- Fix to remove erroneous TC flag from TCP upstream.
- Fix test tdir skip report printout.
- Fix windows compile, the identifier interface is defined in headers.
- Fix to close errno block in comm_point_tcp_handle_read outside of
ifdef.
- Fix static analysis report to remove dead code from the
rpz_callback_from_iterator_module function.
- Fix to clean up after the acl_interface unit test.
- Merge #764: Leniency for target discovery when under load (for
NRDelegation changes).
- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
- Fix string comparison in mini_tdir.sh.
- Make ede.tdir test more predictable by using static data.
- Fix checkconf test for dnscrypt and proxy port.
- Fix dnscrypt compile for proxy protocol code changes.
- Fix to stop responses with TC flag from resulting in partial
responses. It retries to fetch the data elsewhere, or fails the
query and in depth fix removes the TC flag from the cached item.
- Fix proxy length debug output printout typecasts.
- Fix to stop possible loops in the tcp reuse code (write_wait list
and tcp_wait list). Based on analysis and patch from Prad Seniappan
and Karthik Umashankar.
- Fix PROXYv2 header read for TCP connections when no proxied addresses
are provided.
* Wed Sep 21 2022 Michael Ströder <michael@stroeder.com>
- update to 1.16.3
fixes Non-Responsive Delegation Attack (CVE-2022-3204)
* Mon Aug 01 2022 Michael Ströder <michael@stroeder.com>
- update to 1.16.2 (boo#1202031 boo#1202033)
* Features
- Merge #718: Introduce infra-cache-max-rtt option to config max
retransmit timeout.
* Bug Fixes
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets.
- Fix verbose EDE error printout.
- Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
- For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest
cross-compiler versions.
- Merge PR 714: Avoid treat normal hosts as unresponsive servers.
And fixup the lock code.
- iana portlist update.
- Update documentation for 'outbound-msg-retry:'.
- Tests for ghost domain fixes.
* Mon Jul 11 2022 Michael Ströder <michael@stroeder.com>
- update to 1.16.1
* Features
- Fix #704: [FR] Statistics counter for number of outgoing UDP queries
sent; introduces 'num.query.udpout' to the 'unbound-control stats'
command.
* Bug Fixes
- makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
- Fix for edns client subnet to respect not looking in its cache when
instructed to do so (e.g., prefetch).
- Merge PR #688: Rpz url notify issue.
- Note in the unbound.conf text that NOTIFY is allowed from the url:
addresses for auth and rpz zones.
- Remove unused LDNS function check for GOST Engine unloading.
- Fix for loading locally stored zones that have lines with blanks or
blanks and comments.
- Fix #663: use after free issue with edns options.
- Clarify -v flag manpage entry (#705)
- Fix test program dohclient close to use portability routine.
- Show the output of the exact .rpl run that failed with 'make test'.
- Fix for cached 0 TTL records to not trigger prefetching when
serve-expired-client-timeout is set.
- Add debug option to the mini_tdir.sh test code.
- Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
- Allow fallback to the parent side when MAX_TARGET_NX is reached.
This will also allow MAX_TARGET_NX more NXDOMAINs.
- iana portlist update.
- Fix detection of libz on windows compile with static option.
- Fix compile warning for windows compile.
- Merge PR #706: NXNS fallback.
- From #706: Cached NXDOMAIN does not increase the target nx
responses.
- From #706: Don't generate parent side queries if we already
have the lame records in cache.
- From #706: When a lame address is the best choice, don't try to
generate target queries when the missing targets are all lame.
- Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
mode on openssl3.
- Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
- For #660: formatting, less verbose logging, add EDE information.
- Fix for correct openssl error when adding windows CA certificates to
the openssl trust store.
- Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
- Reintroduce documentation and more EDE support for
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
- Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
- Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets.
* Thu Jun 02 2022 Michael Ströder <michael@stroeder.com>
- update to 1.16.0
* Features
- Merge PR #604: Add basic support for EDE (RFC8914).
* Bug Fixes
- Fix #412: cache invalidation issue with CNAME+A.
- Fix that TCP interface does not use TLS when TLS is also configured.
- Fix #624: Unable to stop Unbound in Windows console (does not
respond to CTRL+C command).
- Fix #618: enabling interface-automatic disables DNS-over-TLS.
Adds the option to list interface-automatic-ports.
- Remove debug info from #618 fix.
- Fix #628: A rpz-passthru action is not ending RPZ zone processing.
- Fix for #628: fix rpz-passthru for qname trigger by localzone type.
- Fix that address not available is squelched from the logs for
udp connect failures. It is visible on verbosity 4 and more.
- Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
ERR_GET_REASON.
- Fix to detect that no IPv6 support means that IPv6 addresses are
useless for delegation point lookups.
- update Makefile dependencies.
- Fix check interface existence for support detection in remote lookup.
- Fix #633: Document unix domain socket support for unbound-control.
- Fix for #633: updated fix with new text.
- Fix edns client subnet to add the option based on the option list,
so that it is not state dependent, after the state fix of #605 for
double EDNS options.
- Fix for edns client subnet option add fix in removal code, from review.
- Fix #630: Unify the RPZ log messages.
- Merge #623 from rex4539: Fix typos.
- Fix pythonmod for change in iter_dp_is_useless function prototype.
- Fix compile warnings for printf ll format on mingw compile.
- Merge PR #632 from scottrw93: Match cnames in ipset.
- Various fixes for #632: variable initialisation, convert the qinfo
to str once, accept trailing dot in the local-zone ipset option.
- Fix #637: Integer Overflow in sldns_str2period function.
- Fix for #637: fix integer overflow checks in sldns_str2period.
- Fix configure for python to use sysutils, because distutils is
deprecated. It uses sysutils when available, distutils otherwise.
- Merge #644: Make `install-lib` make target install the pkg-config
file.
- Fix to ensure uniform handling of spaces and tabs when parsing RRs.
- Fix to describe auth-zone and other configuration at the local-zone
configuration option, to allow for more broadly view of the options.
- Merge PR #648 from eaglegai: fix -q doesn't work when use with
'unbound-control stats_shm'.
- Fix #651: [FR] Better logging for refused queries.
- Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
- Fix zonemd check to allow unsupported algorithms to load.
If there are only unsupported algorithms, or unsupported schemes,
and no failed or successful other ZONEMD records, or malformed
or bad ZONEMD records, the unsupported records allow the zone load.
- Fix zonemd unsupported algo check.
- Fix zonemd unsupported algo check reason to not copy to next record,
and check for success for debug printout.
- Fix zonemd unsupported algo check to print unsupported reason before
zeroing it.
- Fix zonemd unsupported algo check to set reason to NULL before the
check routine, but after malformed checks, to get the correct NULL
output when the digest matches.
- Fix #670: SERVFAIL problems with unbound 1.15.0 running on
OpenBSD 7.1.
- Fix Python build in non-source directory; based on patch by
Michael Tokarev.
- Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
host.
- Merge #677: Allow using system certificates not only on Windows,
from pemensik.
- For #677: Added tls-system-cert to config parser and documentation.
- Fix #417: prefetch and ECS causing cache corruption when used
together.
- Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
by updating unbound-control's documentation.
- Fix typos in config_set_option for the 'num-threads' and
'ede-serve-expired' options.
- Fix to silence test for ede error output to the console from the
test setup script.
- Fix ede test to not use default pidfile, and use local interface.
- Fix some lint type warnings.
- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3
(and possibly other distributions)
* Tue Apr 19 2022 Dirk Müller <dmueller@suse.com>
- drop python2 packages
- update to 1.15.0:
This release has bug fixes for crashes that happened on heavy network
usage. The default for the aggressive-nsec option has changed, it is now
enabled.
The ratelimit logic had to be reworked for the crash fixes. As a result,
there are new options to control the behaviour of ratelimiting.
The ratelimit-backoff and ip-ratelimit-backoff options can be used to
control how severe the backoff is when the ratelimit is exceeded.
The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for
NXDOMAIN answers from RPZ. That is used by some clients to detect that
the domain is externally blocked. The RPZ option for-downstream can be
used like for auth zones, this allows the RPZ zone information to be queried.
That can be useful for monitoring scripts.
Features
- Fix #596: unset the RA bit when a query is blocked by an unbound
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is
authoritatively answered for, so the RPZ zone contents can be
checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces
ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
Bug Fixes
- Fix compile warning for if_nametoindex on windows 64bit.
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
- Fix to pick up other class local zone information before unlock.
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
- Fix #591: Unbound-anchor manpage links to non-existent license file.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
from the query.
- Fix for #596: fix that rpz return message is returned and not just
the rcode from the iterator return path. This fixes signal unset RA
after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
triggered operation.
- Merge #600 from pemensik: Change file mode before changing file
owner.
- Fix prematurely terminated TCP queries when a reply has the same ID.
- For #602: Allow the module-config "subnetcache validator cachedb
iterator".
- Fix EDNS to upstream where the same option could be attached
more than once.
- Add a region to serviced_query for allocations.
- For dnstap, do not wakeupnow right there. Instead zero the timer to
force the wakeup callback asap.
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
serviced_udp_callback.
- Merge PR #612: TCP race condition.
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
document.
- Fix tls-* and ssl-* documented alternate syntax to also be available
through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
- iana portlist update.
- Fix review comment for use-after-free when failing to send UDP out.
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
internals.
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #617: Update stub/forward-host notation to accept port and
tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
notation.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
* Thu Feb 10 2022 Michael Ströder <michael@stroeder.com>
- update to 1.15.0
Features
- Fix #596: unset the RA bit when a query is blocked by an unbound
RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
signal that a domain is externally blocked to clients when it
is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is
authoritatively answered for, so the RPZ zone contents can be
checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces
ratelimit-backoff and ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
Bug Fixes
- Fix compile warning for if_nametoindex on windows 64bit.
- Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
warnings in rpz.
- Fix validator debug output about DS support, print correct algorithm.
- Add code similar to fix for ldns for tab between strings, for
consistency, the test case was not broken.
- Allow local-data for classes other than IN to inherit a configured
local-zone's type if possible, instead of defaulting to type
transparent as per the implicit rule.
- Fix to pick up other class local zone information before unlock.
- Add missing configure flags for optional features in the
documentation.
- Fix Unbound capitalization in the documentation.
- Fix #591: Unbound-anchor manpage links to non-existent license file.
- contrib/aaaa-filter-iterator.patch file renewed diff content to
apply cleanly to the current coderepo for the current code version.
- Fix to add test for rpz-signal-nxdomain-ra.
- Fix #596: only unset RA when NXDOMAIN is signalled.
- Fix that RPZ does not set RD flag on replies, it should be copied
from the query.
- Fix for #596: fix that rpz return message is returned and not just
the rcode from the iterator return path. This fixes signal unset RA
after a CNAME.
- Fix unit tests for rpz now that the AA flag returns successfully from
the iterator loop.
- Fix for #596: add unit test for nsdname trigger and signal unset RA.
- Fix for #596: add unit test for nsip trigger and signal unset RA.
- Fix #598: Fix unbound-checkconf fatal error: module conf
'respip dns64 validator iterator' is not known to work.
- Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
triggered operation.
- Merge #600 from pemensik: Change file mode before changing file
owner.
- Fix prematurely terminated TCP queries when a reply has the same ID.
- For #602: Allow the module-config "subnetcache validator cachedb
iterator".
- Fix EDNS to upstream where the same option could be attached
more than once.
- Add a region to serviced_query for allocations.
- For dnstap, do not wakeupnow right there. Instead zero the timer to
force the wakeup callback asap.
- Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
- Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
serviced_udp_callback.
- Merge PR #612: TCP race condition.
- Test for NSID in SERVFAIL response due to DNSSEC bogus.
- Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
document.
- Fix tls-* and ssl-* documented alternate syntax to also be available
through remote-control and unbound-checkconf.
- Better cleanup on failed DoT/DoH listening socket creation.
- iana portlist update.
- Fix review comment for use-after-free when failing to send UDP out.
- Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
internals.
- Merge PR #532 from Shchelk: Fix: buffer overflow bug.
- Merge PR #617: Update stub/forward-host notation to accept port and
tls-auth-name.
- Update stream_ssl.tdir test to also use the new forward-host
notation.
- Fix header comment for doxygen for authextstrtoaddr.
- please clang analyzer for loop in test code.
- Fix docker splint test to use more portable uname.
- Update contrib/aaaa-filter-iterator.patch with diff for current
software version.
- Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.

Files

/etc/unbound/conf.d
/etc/unbound/conf.d/example.com.conf
/etc/unbound/keys.d
/etc/unbound/keys.d/example.com.key
/etc/unbound/local.d
/etc/unbound/local.d/block-example.com.conf
/etc/unbound/unbound.conf
/run/unbound
/usr/lib/systemd/system/unbound-keygen.service
/usr/lib/systemd/system/unbound.service
/usr/lib/tmpfiles.d/unbound.conf
/usr/sbin/rcunbound
/usr/sbin/rcunbound-keygen
/usr/sbin/unbound
/usr/sbin/unbound-checkconf
/usr/sbin/unbound-control
/usr/sbin/unbound-control-setup
/usr/sbin/unbound-host
/usr/sbin/unbound-streamtcp
/usr/share/doc/packages/unbound
/usr/share/doc/packages/unbound/CREDITS
/usr/share/doc/packages/unbound/FEATURES
/usr/share/doc/packages/unbound/README
/usr/share/fillup-templates/sysconfig.unbound
/usr/share/licenses/unbound
/usr/share/licenses/unbound/LICENSE
/usr/share/man/man1/unbound-host.1.gz
/usr/share/man/man1/unbound-streamtcp.1.gz
/usr/share/man/man5/unbound.conf.5.gz
/usr/share/man/man8/unbound-checkconf.8.gz
/usr/share/man/man8/unbound-control-setup.8.gz
/usr/share/man/man8/unbound-control.8.gz
/usr/share/man/man8/unbound.8.gz

Generated by rpm2html 1.8.1

Fabrice Bellet, Wed Oct 22 23:36:26 2025

unbound-1.24.0-1.1 RPM for armv6hl

From OpenSuSE Ports Tumbleweed for armv6hl

Provides

Requires

License

Changelog

Files