update unbound to its current version 1.7.3
Unbound 1.7.3 is available: https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.3.tar.gz sha256 c11de115d928a6b48b2165e0214402a7a7da313cd479203a7ce7a8b62cba602d pgp https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.3.tar.gz.asc
This release fixes a bug in qname minimisation, from 1.7.1, that double counts CNAMEs and this causes resolution failures because the maximum CNAME count is hit. This caught attention because since 1.7.2 qname minimisation is enabled by default.
For a local name unix pipe unbound-control setup, with the pathname of the socket configured in control-interface, Unbound now uses an unencrypted connection. Permissions can be configured by setting them on the directory the file is in, unbound creates the file with permissions that allow members of the group of the user that is configured unbound.conf access. This fix is also part of NSD nsd-control.
Compared to the 1.7.3rc2 there are a couple of Windows unbound-control related fixes in 1.7.3.
Features
- #4102 for NSD, but for Unbound. Named unix pipes do not use certificate and key files, access can be restricted with file and directory permissions. The option control-use-cert is no longer used, and ignored if found in unbound.conf.
- Rename tls-additional-ports to tls-additional-port, because every line adds one port.
Bug Fixes
- Don't count CNAME response types received during qname minimisation as query restart.
- #4100: Fix stub reprime when it becomes useless.
- Fix crash if ratelimit taken into use with unbound-control instead of with unbound.conf.
- Patch to fix openwrt for mac os build darwin detection in configure.
- #4103: Fix that auth-zone does not insist on SOA record first in file for url downloads.
- Fix that first control-interface determines if TLS is used. Warn when IP address interfaces are used without TLS.
- Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
- Fix unbound-checkconf for control-use-cert.
- Fix for unbound-control on Windows and set TCP socket parameters more closely.
- Fix windows unbound-control no cert bad file descriptor error.
Unbound 1.7.2 is available: https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.2.tar.gz sha256 a85fc7bb34711992cf128b2012638ebb8dc1fe15818baa381f6489240845eaa0 pgp https://www.nlnetlabs.nl/downloads/unbound/unbound-1.7.2.tar.gz.asc
Features:
- Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
- Qname minimisation default changed to yes.
- Use accept4 to speed up incoming TCP (and TLS) connections, available on Linux, FreeBSD and OpenBSD.
- tls-win-cert option that adds the system certificate store for authenticating DNS-over-TLS connections. It can be used instead of the tls-cert-bundle option, or with it to add certificates.
- Patch from Syzdek: Add ability to ignore RD bit and treat all requests as if the RD bit is set.
- Rename additional-tls-port to tls-additional-ports. The older name is accepted for backwards compatibility.
Bug fixes:
- Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda.
- Also that for dnscrypt.
- Fix spelling error in man page and note defaults as no instead of off.
- Fix that unbound-control reload frees the rrset keys and returns the memory pages to the system.
- Fix fail to reject dead peers in forward-zone, with ssl-upstream.
- Fix that configure --with-libhiredis also turns on cachedb.
- Fix gcc 8 buffer warning in testcode.
- Fix function type cast warning in libunbound context callback type.
- Fix windows to not have sticky TLS events for TCP.
- Fix read of DNS over TLS length and data in one read call.
- Fix mesh state assertion failure due to callback removal.
- Fix contrib/libunbound.pc for libssl libcrypto references, from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914
- Fix that libunbound can do DNS-over-TLS, when configured.
- Fix that windows unbound service can use DNS-over-TLS.
- unbound-host initializes ssl (for potential DNS-over-TLS usage inside libunbound), when ssl upstream or a cert-bundle is configured.
- For TCP and TLS connections that don't establish, perform address update in infra cache, so future selections can exclude them.
- Fix that tcp sticky events are removed for closed fd on windows.
- Fix close events for tcp only.
- Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX.
- in compat/arc4random call getentropy_urandom when getentropy fails with ENOSYS.
- Fix that fallback for windows port.
- Fix deadlock caused by incoming notify for auth-zone.