diff options
Diffstat (limited to 'contrib/unbound/doc/Changelog')
| -rw-r--r-- | contrib/unbound/doc/Changelog | 311 |
1 files changed, 289 insertions, 22 deletions
diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 9668a6364cf4..c78cdff3b9bf 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,3 +1,270 @@ +17 September 2025: Yorgos + - Too many quotes for the EDE message debug printout. + +15 September 2025: Yorgos + - Small debug output improvement when attaching an EDE. + +15 September 2025: Wouter + - Fix to print warning for when so-sndbuf setsockopt is not granted. + +11 September 2025: Wouter + - version set to 1.24.0 for release. + - tag for 1.24.0rc1. + - Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0. + +9 September 2025: Wouter + - Fix #1332: CNAME chains are sometimes not followed when RPZs add a + local CNAME rewrite. + +8 September 2025: Yorgos + - Update documentation for using "SET ... EX" in Redis. + - Document max buffer sizes for Redis commands. + - Update man pages. + +3 September 2025: Wouter + - For #1328: make depend. + +2 September 2025: Wouter + - Fix #1235: Outdated Python2 code in + unbound/pythonmod/examples/log.py. + - Fix #1324: Memory leak in 'msgparse.c' in + 'parse_edns_options_from_query(...)'. + - Fix indentation in tcp-mss option parsing. + +1 September 2025: Wouter + - Fix for #1324: Fix to free edns options scratch in ratelimit case. + +29 August 2025: Yorgos + - Limit the number of consecutive reads on an HTTP/2 session. + Thanks to Gal Bar Nahum for exposing the possibility of infinite + reads on the session. + +28 August 2025: Wouter + - Fix setup_listen_sslctx warning for nettle compile. + +27 August 2025: Wouter + - Fix unbound-control dump_cache for double unlock of lruhash table. + +26 August 2025: Wouter + - Fix ports workflow to install expat for macos. + +22 August 2025: Wouter + - For #1318: Fix compile warnings for DoH compile on windows. + - Fix sha1 enable environment variable in test code on windows. + - Fix #1319: [FR] zone status for Unbound auth-zones. + - Fix that the zone acquired timestamp is set after the + zonefile is read. + +21 August 2025: Wouter + - Fix to check for extraneous command arguments for unbound-control, + when the command takes no arguments but there are arguments present. + - Fix #1317: Unbound starts too early. Add + Wants=network-online.target under [Unit] in unbound.service. + - Fix for #1317: Fix contrib/unbound.service comment path for + systemd network configuration. + +15 August 2025: Wouter + - unbound-control cache_lookup +t allows tld and root names. And + subnet cache contents are printed. + - Fix cache_lookup subnet printout to wipe zero part of the prefix. + - Fix cache_lookup subnet print to not print messages without rrsets + and perform in-depth check on node in the addrtree. + +14 August 2025: Wouter + - Fix to increase responsiveness of dump_cache. + - Fix to decouple file descriptor activity and cache lookups in + dump_cache. + +13 August 2025: Wouter + - unbound-control cache_lookup <domains> prints the cached rrsets + and messages for those. + - Fix to remove debug from cache_lookup. + - Fix to unlock cache_lookup message for malformed records. + +12 August 2025: Wouter + - Fix that unbound-control dump_cache releases the cache locks + every so often, so that the server stays responsive. + +7 August 2025: Wouter + - Fix dname_str for printout of long names. Thanks to Jan Komissar + for the fix. + - Fix that edns-subnet failure to create a subquery errors as + servfail, and not formerror. + - Fix to whitespace in dname_str. + +6 August 2025: Wouter + - Fix edns subnet, so that the subquery without subnet is stored in + global cache if the querier used 0.0.0.0/0 and the name and address + do not receive subnet treatment. If the name and address are + configured for subnet, it is stored in the subnet cache. + +5 August 2025: Wouter + - Fix #1309: incorrectly reclaimed tcp handler can cause data + corruption and segfault. + - Fix to use assertions for consistency checks in #1309 reclaimed + tcp handlers. + +1 August 2025: Wouter + - Fix testbound test program to accurately output packets from hex. + +28 July 2025: Wouter + - Fix redis cachedb module gettimeofday init failure. + +24 July 2025: Wouter + - Redis checks for server down and throttles reconnects. + +17 July 2025: Wouter + - Fix to not set rlimits in the unit tests. + - Fix #1303: [FR] Disable TLSv1.2. + - iana portlist updated. + +16 July 2025: Wouter + - Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li + from AOSP Lab Nankai University. + - Tag for 1.23.1 with the release of 1.23.0 and the CVE fix, the + repository continues with the previous fixes, with 1.23.2. + - Add unit tests for non-ecs aggregation. + +12 July 2025: Yorgos + - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to + track the number of signature validation operations. + Adds 'num.valops' to extended statistics. + - For #1289: test num.valops in existing stat_values.tdir. + - For #1289: add num.valops in the unbound-control man page. + +11 July 2025: Wouter + - Fix detection of SSL_CTX_set_tmp_ecdh function. + - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1. + +8 July 2025: Wouter + - Fix to improve dnstap discovery on Fedora. + +3 July 2025: Wouter + - Fix #1300: Is 'sock-queue-timeout' a linux only feature. + - For #1300: implement sock-queue-timeout for FreeBSD as well. + - Fix layout of comm_point_udp_ancil_callback. + +2 July 2025: Wouter + - Merge #1299: Fix typos. + - Generate ltmain.sh and configure again. + +25 June 2025: Yorgos + - Fix #1247: forward-first: ssl handshake failed on root nameservers. + - For #1247, turn off fetch-policy for delegation when looking into + parent side name servers that may not update the addresses and hit + NXNS limits. + - For #1247, replay test (added tcp_transport to + outnet_serviced_query). + +20 June 2025: Yorgos + - Fix #1293: EDE 6 is attached to insecure cached answers when client + sends the CD bit. + +19 June 2025: Wouter + - Fix #1296: DNS over QUIC depends on a very outdated version of + ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0. + - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod. + - Fix rrset cache create allocation failure case. + +17 June 2025: Yorgos + - Fix for consistent use of local zone CNAME alias for configured auth + zones. Now it also applies to downstream configured auth zones. + +16 June 2025: Wouter + - Fix to check control-interface addresses in unbound-checkconf. + - Fix #1295: Windows 32-bit binaries download seems to be missing dll + dependency. + +12 June 2025: Wouter + - Fix header return value description for skip_pkt_rrs and + parse_edns_from_query_pkt. + +11 June 2025: Wouter + - Fix bitwise operators in conditional expressions with parentheses. + - Fix conditional expressions with parentheses for bitwise and. + +5 June 2025: Wouter + - Fix unbound-anchor certificate file read for line ends and end of + file. + - Fix comment for the dname_remove_label_limit_len function. + - iana portlist updated. + +3 June 2025: Yorgos + - Small manpage corrections for the 'disable-dnssec-lame-check' option. + +21 May 2025: Wouter + - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound + program. + +20 May 2025: Yorgos + - Merge #1285: RST man pages. It introduces restructuredText man pages + to sync the online and source code man page documentation. + The templated man pages (*.in) are still part of the repo but + generated with docutils from their .rst counterpart. + Documentation on how to generate those (mainly for core developers) + is in README.man. + - Add more checks about respip in unbound-checkconf. + Also fixes #310: unbound-checkconf not reporting RPZ configuration + error. + +19 May 2025: Wouter + - Fix for cname chain length with qtype ANY and qname minimisation. + Thanks to Jim Greenwood from Nominet for the report. + +15 May 2025: Wouter + - Fix config of slab values when there is no config file. + +13 May 2025: Yorgos + - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) + by adding a log_assert() to safeguard future development. + - Fix #1282: log-destaddr fail on long ipv6 addresses. + +13 May 2025: Wouter + - Change default for so-sndbuf to 1m, to mitigate a cross-layer + issue where the UDP socket send buffers are exhausted waiting + for ARP/NDP resolution. Thanks to Reflyable for the report. + - Adjusted so-sndbuf default to 4m. + +12 May 2025: Yorgos + - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on + broken auth zones that include unsigned out of zone (above apex) + data. Could lead to hang while trying to prove a wildcard answer. + +12 May 2025: Wouter + - Fix #1283: Unsafe usage of atoi() while parsing the configuration + file. + +9 May 2025: Wouter + - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." + in 1.23.0, but worked in 1.22.0. + +5 May 2025: Yorgos + - Sync unbound and unbound-checkconf log output for unknown modules. + +29 April 2025: Wouter + - Fix for parallel build of dnstap protoc-c output. + - Fix dnstap to use protoc. + +29 April 2025: Yorgos + - Merge #1276: Auto-configure '-slabs' values. + +28 April 2025: Yorgos + - Merge #1275: Use macros for the fr_check_changed* functions. + +25 April 2025: Wouter + - Fix #1272: assertion failure testcode/unitverify.c:202. + +16 April 2025: Wouter + - Increase default to `num-queries-per-thread: 2048`, when unbound is + compiled with libevent. It makes saturation of the task queue more + resource intensive and less practical. Thanks to Shiming Liu, + Network and Information Security Lab, Tsinghua University for the + report. + +11 April 2025: Wouter + - Tag for 1.23.0rc2. This became the release of 1.23.0 on 24 April + 2025. The code repository continues with 1.23.1 in development. + 11 April 2025: Yorgos - Merge #1265: Fix WSAPoll. @@ -651,7 +918,7 @@ now checks both single and multi process/thread operation. 16 May 2024: Yorgos - - Merge #1070: Fix rtt assignement for low values of + - Merge #1070: Fix rtt assignment for low values of infra-cache-max-rtt. 16 May 2024: Wouter @@ -1059,7 +1326,7 @@ 13 October 2023: George - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the - same as transmission end. Addesses #947 and #948. + same as transmission end. Addresses #947 and #948. 12 October 2023: Wouter - Merge #944: Disable EDNS DO. @@ -1082,7 +1349,7 @@ 10 October 2023: George - Fix infinite loop when reading multiple lines of input on a broken - remote control socket. Addesses #947 and #948. + remote control socket. Addresses #947 and #948. 9 October 2023: Wouter - Fix edns subnet so that queries with a source prefix of zero cause @@ -1515,7 +1782,7 @@ - Ignore expired error responses. 11 November 2022: Wouter - - Fix #779: [doc] Missing documention in ub_resolve_event() for + - Fix #779: [doc] Missing documentation in ub_resolve_event() for callback parameter was_ratelimited. 9 November 2022: George @@ -2479,7 +2746,7 @@ not hang. removed trailing slashes from configure paths. Moved iOS tests to allow-failure. - travis, analyzer disabled on test without debug, that does not - run anway. Turn off failing tests except one. Update iOS test + run anyway. Turn off failing tests except one. Update iOS test to xcode image 12.2. 22 March 2021: George @@ -2568,7 +2835,7 @@ - Fix build on Python 3.10. 10 February 2021: Wouter - - Merge PR #420 from dyunwei: DOH not responsing with + - Merge PR #420 from dyunwei: DOH not responding with "http2_query_read_done failure" logged. 9 February 2021: Wouter @@ -2968,7 +3235,7 @@ 6 August 2020: Wouter - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound. - The DLV has been decommisioned and in unbound 1.5.4, in 2015, there + The DLV has been decommissioned and in unbound 1.5.4, in 2015, there was advise to stop using it. The current code base does not contain DLV code any more. The use of dlv options displays a warning. @@ -3517,7 +3784,7 @@ 3 December 2019: Wouter - Merge pull request #124 from rmetrich: Changed log lock from 'quick' to 'basic' because this is an I/O lock. - - Fix text around serial arithmatic used for RRSIG times to refer + - Fix text around serial arithmetic used for RRSIG times to refer to correct RFC number. - Fix Assert Causing DoS in synth_cname(), reported by X41 D-Sec. @@ -3780,7 +4047,7 @@ - For #52 #53, second context does not close logfile override. - Fix #52 #53, fix for example fail program. - Fix to return after failed auth zone http chunk write. - - Fix to remove unused test for task_probe existance. + - Fix to remove unused test for task_probe existence. - Fix to timeval_add for remaining second in microseconds. - Check repinfo in worker_handle_request, if null, drop it. @@ -5037,7 +5304,7 @@ 1 February 2018: Wouter - fix unaligned structure making a false positive in checklock - unitialised memory. + uninitialised memory. 29 January 2018: Ralph - Use NSEC with longest ce to prove wildcard absence. @@ -5640,8 +5907,8 @@ - Remove (now unused) event2 include from dnscrypt code. 24 March 2017: George - - Fix to prevent non-referal query from being cached as referal when the - no_cache_store flag was set. + - Fix to prevent non-referral query from being cached as referral when + the no_cache_store flag was set. 23 March 2017: Wouter - Fix #1239: configure fails to find python distutils if python @@ -5704,7 +5971,7 @@ 7 March 2017: Wouter - Fix #1230: swig version 2.0.0 is required for pythonmod, with - 1.3.40 it crashes when running repeatly unbound-control reload. + 1.3.40 it crashes when running repeatedly unbound-control reload. - Response actions based on IP address from Jinmei Tatuya (Infoblox). 6 March 2017: Wouter @@ -5720,7 +5987,7 @@ known vulns. 27 February 2017: Wouter - - Fix #1227: Fix that Unbound control allows weak ciphersuits. + - Fix #1227: Fix that Unbound control allows weak ciphersuites. - Fix #1226: provide official 32bit binary for windows. 24 February 2017: Wouter @@ -6709,7 +6976,7 @@ - Fix #674: Do not free pointers given by getenv. 29 May 2015: Wouter - - Fix that unparseable error responses are ratelimited. + - Fix that unparsable error responses are ratelimited. - SOA negative TTL is capped at minimumttl in its rdata section. - cache-max-negative-ttl config option, default 3600. @@ -6727,7 +6994,7 @@ 10 May 2015: Wouter - Change syntax of particular validator error to be easier for - machine parse, swap rrset and ip adres info so it looks like: + machine parse, swap rrset and ip address info so it looks like: validation failure <www.example.nl. TXT IN>: signature crypto failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> @@ -8307,7 +8574,7 @@ - fix that --enable-static-exe does not complain about it unknown. 30 June 2011: Wouter - - tag relase 1.4.11, trunk is 1.4.12 development. + - tag release 1.4.11, trunk is 1.4.12 development. - iana portlist updated. - fix bug#395: id bits of other query may leak out under conditions - fix replyaddr count wrong after jostled queries, which leads to @@ -9637,7 +9904,7 @@ 8 June 2009: Wouter - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause - inadvertant behaviour. + inadvertent behaviour. - 1.3.0 tarball for release created. - 1.3.1 development in svn trunk. - iana portlist updated. @@ -9986,7 +10253,7 @@ - initgroups(3) is called to drop secondary group permissions, if applicable. - configure option --with-ldns-builtin forces the use of the - inluded ldns package with the unbound source. The -I include + included ldns package with the unbound source. The -I include is put before the others, so it avoids bad include files from an older ldns install. - daemon(3) posix call is used when available. @@ -10291,7 +10558,7 @@ please ranlib, stop file without symbols warning. - harden referral path now also validates the root after priming. It looks up the root NS authoritatively as well as the root servers - and attemps to validate the entries. + and attempts to validate the entries. 16 October 2008: Wouter - Fixup negative TTL values appearing (reported by Attila Nagy). @@ -11070,7 +11337,7 @@ - please doxygen, put doxygen comment in one place. - asynclook -b blocking mode and test. - refactor asynclook, nicer code. - - fixup race problems from opensll in rand init from library, with + - fixup race problems from openssl in rand init from library, with a mutex around the rand init. - fix pass async_id=NULL to _async resolve(). - rewrote _wait() routine, so that it is threadsafe. @@ -12043,7 +12310,7 @@ 11 June 2007: Wouter - replies on TCP queries have the address field set in replyinfo, for serviced queries, because the initiator does not know that - a TCP fallback has occured. + a TCP fallback has occurred. - omit DNSSEC types from nonDO replies, except if qtype is ANY or if qtype directly queries for the type (and then only show that 'unknown type' in the answer section). |