vendor/unbound/1.5.5

10 files changed, 121 insertions, 15 deletions

diff --git a/doc/Changelog b/doc/Changelog
index 525bb365e3d9..3f3b245940bd 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,92 @@
+28 September 2015: Wouter
+	- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
+	  failures.
+	- tag for 1.5.5rc1 release.
+	- makedist.sh: pgp sig echo commands.
+
+25 September 2015: Wouter
+	- Fix unbound-control flush that does not succeed in removing data.
+
+22 September 2015: Wouter
+	- Fix config globbed include chroot treatment, this fixes reload of
+	  globs (patch from Dag-Erling Smørgrav).
+	- iana portlist update.
+	- Fix #702: New IPs for for h.root-servers.net.
+	- Remove confusion comment from canonical_compare() function.
+	- Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
+	- testbound selftest also works in non-debug mode.
+	- Fix minor error in unbound.conf.5.in
+	- Fix unbound.conf(5) access-control description for precedence
+	  and default.
+
+31 August 2015: Wouter
+	- changed windows setup compression to be more transparent.
+
+28 August 2015: Wouter
+	- Fix #697: Get PY_MAJOR_VERSION failure at configure for python
+	  2.4 to 2.6.
+	- Feature #699: --enable-pie option to that builds PIE binary.
+	- Feature #700: --enable-relro-now option that enables full read-only
+	  relocation.
+
+24 August 2015: Wouter
+	- Fix deadlock for local data add and zone add when unbound-control
+	  list_local_data printout is interrupted.
+	- iana portlist update.
+	- Change default of harden-algo-downgrade to off.  This is lenient
+	  for algorithm rollover.
+
+13 August 2015: Wouter
+	- 5011 implementation does not insist on all algorithms, when
+	  harden-algo-downgrade is turned off.
+	- Reap the child process that libunbound spawns.
+
+11 August 2015: Wouter
+	- Fix #694: configure script does not detect LibreSSL 2.2.2
+
+4 August 2015: Wouter
+	- Document that local-zone nodefault matches exactly and transparent
+	  can be used to release a subzone.
+
+3 August 2015: Wouter
+	- Document in the manual more text about configuring locally served
+	  zones.
+	- Fix 5011 anchor update timer after reload.
+	- Fix mktime in unbound-anchor not using UTC.
+
+30 July 2015: Wouter
+	- please afl-gcc (llvm) for uninitialised variable warning.
+	- Added permit-small-holddown config to debug fast 5011 rollover.
+
+24 July 2015: Wouter
+	- Fix #690: Reload fails when so-reuseport is yes after changing
+	  num-threads.
+	- iana portlist update.
+
+21 July 2015: Wouter
+	- Fix configure to detect SSL_CTX_set_ecdh_auto.
+	- iana portlist update.
+
+20 July 2015: Wouter
+	- Enable ECDHE for servers.  Where available, use
+	  SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
+	  enable ECDHE.  Otherwise, manually offer curve p256.
+	  Client connections should automatically use ECDHE when available.
+	  (thanks Daniel Kahn Gillmor)
+
+18 July 2015: Willem
+	- Allow certificate chain files to allow for intermediate certificates.
+	  (thanks Daniel Kahn Gillmor)
+
+13 July 2015: Wouter
+	- makedist produces sha1 and sha256 files for created binaries too.
+
+9 July 2015: Wouter
+	- 1.5.4 release tag
+	- trunk has 1.5.5 in development.
+	- Fix #681: Setting forwarders with unbound-control forward
+	  implicitly turns on forward-first.
+
 29 June 2015: Wouter
 	- iana portlist update.
 	- Fix alloc with log for allocation size checks.
diff --git a/doc/README b/doc/README
index e192333dc986..c8bddcccf838 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.4
+README for Unbound 1.5.5
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 677598767bf5..399aa8048e79 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.4.
+# See unbound.conf(5) man page, version 1.5.5.
 #
 # this is a comment.
 
@@ -294,7 +294,7 @@ server:
 	# Harden against algorithm downgrade when multiple algorithms are
 	# advertised in the DS record.  If no, allows the weakest algorithm
 	# to validate the zone.
-	# harden-algo-downgrade: yes
+	# harden-algo-downgrade: no
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
@@ -444,6 +444,9 @@ server:
 	# If the value 0 is given, missing anchors are not removed.
 	# keep-missing: 31622400 # 366 days
 
+	# debug option that allows very small holddown times for key rollover
+	# permit-small-holddown: no
+
 	# the amount of memory to use for the key cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb". 
 	# key-cache-size: 4m
@@ -623,6 +626,8 @@ remote-control:
 # nameservers by hostname or by ipaddress. If you set stub-prime to yes, 
 # the list is treated as priming hints (default is no).
 # With stub-first yes, it attempts without the stub if it fails.
+# Consider adding domain-insecure: name and local-zone: name nodefault
+# to the server: section if the stub is a locally served zone.
 # stub-zone:
 #	name: "example.com"
 #	stub-addr: 192.0.2.68
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 7ef77865b6e7..9ef367fdda4b 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "libunbound" "3" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.4 functions.
+\- Unbound DNS validating resolver 1.5.5 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index 4632cf71d681..e89be5b44ff1 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound-anchor" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index e1a94cf7a812..234a04a48e84 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound-checkconf" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index 057eb0336fe4..eefd207df834 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound-control" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index 568dbcd407df..a4742d7f5ad9 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound\-host" "1" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index e4ff3b8e9b14..df9baa04e20a 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.4.
+\- Unbound DNS validating resolver 1.5.5.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index cd57ab83d3d8..c497eeebf33f 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jul  9, 2015" "NLnet Labs" "unbound 1.5.4"
+.TH "unbound.conf" "5" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -296,7 +296,7 @@ trust (very large) TTL values.
 .TP
 .B cache\-min\-ttl: \fI<seconds>
 Time to live minimum for RRsets and messages in the cache. Default is 0.
-If the the minimum kicks in, the data is cached for longer than the domain
+If the minimum kicks in, the data is cached for longer than the domain
 owner intended, and thus less queries are made to look up the data.
 Zero makes sure the data in the cache is as the domain owner intended,
 higher values, especially more than an hour or so, can lead to trouble as 
@@ -373,6 +373,7 @@ a daemon. Default is yes.
 The netblock is given as an IP4 or IP6 address with /size appended for a 
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
 \fIallow\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR.
+The most specific netblock match is used, if none match \fIdeny\fR is used.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
 .IP
@@ -567,7 +568,7 @@ to increase the max depth that is checked to.
 .B harden\-algo\-downgrade: \fI<yes or no>
 Harden against algorithm downgrade when multiple algorithms are
 advertised in the DS record.  If no, allows the weakest algorithm to
-validate the zone.  Default is yes.  Zone signers must produce zones
+validate the zone.  Default is no.  Zone signers must produce zones
 that allow this feature to work, but sometimes they do not, and turning
 this option off avoids that validation failure.
 .TP
@@ -801,6 +802,10 @@ mechanism work with zones that perform regular (non\-5011) rollovers.
 The default is 366 days.  The value 0 does not remove missing anchors,
 as per the RFC.
 .TP
+.B permit\-small\-holddown: \fI<yes or no>
+Debug option that allows the autotrust 5011 rollover timers to assume
+very small values.  Default is no.
+.TP
 .B key\-cache\-size: \fI<number>
 Number of bytes size of the key cache. Default is 4 megabytes.
 A plain number is in bytes, append 'k', 'm' or 'g' for kilobytes, megabytes
@@ -895,7 +900,8 @@ infected machines without answering the queries.
 Used to turn off default contents for AS112 zones. The other types
 also turn off default contents for the zone. The 'nodefault' option 
 has no other effect than turning off default contents for the 
-given zone.
+given zone.  Use \fInodefault\fR if you use exactly that zone, if you want to
+use a subzone, use \fItransparent\fR.
 .P
 The default zones are localhost, reverse 127.0.0.1 and ::1, and the AS112
 zones. The AS112 zones are reverse DNS zones for private use and reserved
@@ -1124,6 +1130,12 @@ bit on replies for the private zone (authoritative servers do not set the
 AD bit).  This setup makes unbound capable of answering queries for the 
 private zone, and can even set the AD bit ('authentic'), but the AA 
 ('authoritative') bit is not set on these replies. 
+.P
+Consider adding \fBserver:\fR statements for \fBdomain\-insecure:\fR and
+for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally
+served zone.  The insecure clause stops DNSSEC from invalidating the
+zone.  The local zone nodefault (or \fItransparent\fR) clause makes the
+(reverse\-) zone bypass unbound's filtering of RFC1918 zones.
 .TP
 .B name: \fI<domain name>
 Name of the stub zone.