Tags: ssps12/unbound
Tags
Unbound 1.13.0 This version has fixes to connect for UDP sockets, slowing down potential ICMP side channel leakage. The fix can be controlled with the option udp-connect: yes, it is enabled by default. Additionally CVE-2020-28935 is fixed, this solves a problem where the pidfile is altered by a symlink, and fails if a symlink is encountered. See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more information. New features are upstream TCP and TLS query reuse, where a channel is reused for several queries. And http-notls-downstream: yesno for unencrypted DoH, useful for back end support servers. The option infra-keep-probing can be used to probe hosts that are down more frequently. The options edns-client-string and edns-client-string-opcode can be used to add an EDNS option with the specified string in queries towards servers, with the servers specified by IP address. It replaces the edns-client-tag option. Features - Pass the comm_reply information to the inplace_cb_reply* functions during the mesh state and update the documentation on that. - Fix NLnetLabs#330: [Feature request] Add unencrypted DNS over HTTPS support. This adds the option http-notls-downstream: yesno to change that, and the dohclient test code has the -n option. - Merge PR NLnetLabs#228 : infra-keep-probing option to probe hosts that are down. Add infra-keep-probing: yes option. Hosts that are down are probed more frequently. With the option turned on, it probes about every 120 seconds, eventually after exponential backoff, and that keeps that way. If traffic keeps up for the domain. It probes with one at a time, eg. one query is allowed to probe, other queries within that 120 second interval are turned away. - Merge PR NLnetLabs#313 from Ralph Dolmans: Replace edns-client-tag with edns-client-string option. - Merge PR NLnetLabs#283 : Stream reuse. This implements upstream stream reuse for performing several queries over the same TCP or TLS channel. - Fix to connect() to UDP destinations, default turned on, this lowers vulnerability to ICMP side channels. Option to toggle udp-connect, default is enabled. Bug Fixes - Fix NLnetLabs#319: potential memory leak on config failure, in rpz config. - Fix dnstap socket and the chroot not applied properly to the dnstap socket path. - Fix warning in libnss compile, nss_buf2dsa is not used without DSA. - Fix NLnetLabs#323: unbound testsuite fails on mock build in systemd-nspawn if systemd support is build. - Fix for python reply callback to see mesh state reply_list member, it only removes it briefly for the commpoint call so that it does not drop it and attempt to modify the reply list during reply. - Fix that if there are on reply callbacks, those are called per reply and a new message created if that was modified by the call. - Free up auth zone parse region after use for lookup of host - Merge PR NLnetLabs#326 from netblue30: DoH: implement content-length header field. - DoH content length, simplify code, remove declaration after statement and fix cast warning. - Fix that if there are reply callbacks for the given rcode, those are called per reply and a new message created if that was modified by the call. - Fix that the out of order TCP processing does not limit the number of outstanding queries over a connection. - Fix python documentation warning on functions.rst inplace_cb_reply. - Log ip address when http session recv fails, eg. due to tls fail. - Fix to set the tcp handler event toggle flag back to default when the handler structure is reused. - Clean the fix for out of order TCP processing limits on number of queries. It was tested to work. - Fix that http settings have colon in set_option, for http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size, and http-nodelay. - Fix memory leak of https port string when reading config. - local-zone regional allocations outside of chunk - Merge PR NLnetLabs#324 from James Renken: Add modern X.509v3 extensions to unbound-control TLS certificates. - Fix for PR NLnetLabs#324 to attach the x509v3 extensions to the client certificate. - Fix NLnetLabs#327: net/if.h check fails on some darwin versions; contribution by Joshua Root. - Fix NLnetLabs#320: potential memory corruption due to size miscomputation upton custom region alloc init. - Fix NLnetLabs#333: Unbound Segmentation Fault w/ log_info Functions From Python Mod. - Fix that minimal-responses does not remove addresses from a priming query response. - In man page note that tls-cert-bundle is read before permission drop and chroot. - Fix NLnetLabs#341: fixing a possible memory leak. - Fix memory leak after fix for possible memory leak failure. - Fix NLnetLabs#343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX' undeclared. - Fix for NLnetLabs#303 CVE-2020-28935 : Fix that symlink does not interfere with chown of pidfile. - Fix NLnetLabs#347: IP_DONTFRAG broken on Apple xcode 12.2. - Fix NLnetLabs#350: with the AF_NETLINK permission, to fix 1.12.0 error: failed to list interfaces: getifaddrs: Address family not supported by protocol. - Merge NLnetLabs#351 from dvzrv: Add AF_NETLINK to set of allowed socket address families. - iana portlist updated. - Fix crash when TLS connection is closed prematurely, when reuse tree comparison is not properly identical to insertion. - Fix padding of struct regional for 32bit systems. - with udp-connect ignore connection refused with UDP timeouts. - Fix udp-connect on FreeBSD, do send calls on connected UDP socket. - Better fix for reuse tree comparison for is-tls sockets. Where the tree key identity is preserved after cleanup of the TLS state. - Fix memory leak for edns client tag opcode config element. - Attempt fix for libevent state in tcp reuse cases after a packet is written. - Fix readagain and writeagain callback functions for comm point cleanup. - Fix to omit UDP receive errors from log, if verbosity low. These happen because of udp-connect. - For NLnetLabs#352: contrib/metrics.awk for Prometheus style metrics output. - Fix that after failed read, the readagain cannot activate. - Clear readagain upon decommission of pending tcp structure. - Fix compile warning for type cast in http2_submit_dns_response. - Fix when use free buffer to initialize rbtree for stream reuse. - Fix compile warnings for windows. - Fix compile warnings in rpz initialization. - Fix contrib/metrics.awk for FreeBSD awk compatibility. - Fix assertion failure on double callback when iterator loses interest in query at head of line that then has the tcp stream not kept for reuse. - Fix stream reuse and tcp fast open.
Unbound 1.12.0 This release contains the DNS Flag Day 2020 changes. This sets the default EDNS buffer size to 1232, that should reduce fragmentation. https://dnsflagday.net/2020/ There is inclusive language in the configuration. There is caps-exempt, ipsecmod-allow and primary server options for auth-zones. The older terms are accepted to keep configuration working. DNS-over-HTTPS is supported in this release. The DoH is enabled when Unbound is compiled with the nghttp2 library, with configure --with-libnghttp2. Then have an interface on the https port, that can be configured with the https-port option. Also have a cert and key available with the tls-service-key and tls-service-pem options. Further settings can be configured for the http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size and http-nodelay options. The max streams sets the maximum concurrent streams, the buffer size options the number of bytes in buffers, and the nodelay option can turn on TCP_NODELAY for DNS-over-HTTPS service. In the statistics the memory used is reported in mem.http.query_buffer and mem.http.response_buffer. The number of queries is reported in num.query.https, they are also included in the tcp and tls counts because https uses TLS and TCP. The DLV options and code to handle DLV lookups have been removed from the code base. The DLV repository is empty nowadays, it has been decommissioned. There is a new feature where it is possible to use interface names to bind to the IP addresses on that interface. It pulls in the addresses at the start of the server, if the addresses change, use the existing freebind and other socket options to register for addresses before they appear, or the interface-automatic option that copies them from queries to answers with ancillary data. There is a new option for the edns-tag draft specification. It can be enabled if you need the tentative implementation to add those tags to outgoing messages. Features - DNS Flag Day 2020: change edns-buffer-size default to 1232. - Merge PR NLnetLabs#255: DNS-over-HTTPS support. - Use inclusive language in configuration - Merge PR NLnetLabs#284 and Fix NLnetLabs#246: Remove DLV entirely from Unbound. The DLV has been decommisioned and in unbound 1.5.4, in 2015, there was advise to stop using it. The current code base does not contain DLV code any more. The use of dlv options displays a warning. - Similar to NSD PR#113, implement that interface names can be used, eg. something like interface: eth0 is resolved at server start and uses the IP addresses for that named interface. - Merge PR NLnetLabs#272: Add EDNS client tag functionality. - Add edns-client-tag-opcode option Bug Fixes - Merge PR NLnetLabs#270 from cgzones: munin plugin: always exit 0 in autoconf - Merge PR NLnetLabs#269, Fix python module len() implementations, by Torbjörn Lönnemark - Merge PR NLnetLabs#268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on March 2020, by and0x000. - Fix doxygen comment for no ssl for tls session ticket key callback routine. - Fix mini_event.h on OpenBSD cannot find fd_set. - Improve error log message when inserting rpz RR. - Merge PR NLnetLabs#280, Make tvOS & watchOS checks verify truthiness as well as definedness, by Felipe Gasper. - contrib/aaaa-filter-iterator.patch file renewed diff content to apply cleanly to the current coderepo for the current code version. - Fix NLnetLabs#287: doc typo: "Additionaly". - Merge (modified) PR NLnetLabs#277, use EVP_MAC_CTX_set_params if available, by Vítězslav Čížek. - Create and init edns tags data for libunbound. - Fix stats double count issue (NLnetLabs#289). - Fix that dnstap reconnects do not spam the log with the repeated attempts. Attempts on the timer are only logged on high verbosity, if they produce a connection failure error. - Fix to apply chroot to dnstap-socket-path, if chroot is enabled. - Change configure to use EVP_sha256 instead of HMAC_Update for openssl-3.0.0. - Update documentation in python example code. - Review fix interface, doxygen and assign null in case of error free. - Merge PR NLnetLabs#293: Add missing prototype. Also refactor to use the new shorthand function to clean up the code. - Refactor to use sock_strerr shorthand function. - Fix NLnetLabs#296: systemd nss-lookup.target is reached before unbound can successfully answer queries. Changed contrib/unbound.service.in. - Fix num.expired statistics output. - Remove x file mode on ipset/ipset.c and h files. - Spelling fix. - Introduce test for statistics. - Fix that prefer-ip4 and prefer-ip6 can be get and set with unbound-control, with libunbound and the unbound-checkconf option output function. - Merge PR NLnetLabs#311 by luismerino: Dynlibmod leak. - Error message is logged for dynlibmod malloc failures. - iana portlist updated. - Fix NLnetLabs#304: dnstap logging not recovering after dnstap process restarts - Fix edns-client-tags get_option typo - Fix NLnetLabs#305: dnstap logging significantly affects unbound performance (regression in 1.11). - Fix NLnetLabs#305: only wake up thread when threshold reached. - Fix to ifdef fptr wlist item for dnstap. - Fix memory leak of edns tags at libunbound context delete. - Fix double loopexit for unbound-dnstap-socket after sigterm.
Unbound 1.11.0 This release contains a number of bug fixes. Also new features are introduced. The configure --with-dynlibmodule enables dynamic library support that can have code modules function like the python library scripts. It allows to load multiple dynlib instances. The new `include-toplevel: <file or wildcard>` configuration option allows to include a directory with config files where every config file does not modify the config section for the later files so that the include order is idempotent. This makes it much easier to drop files into a config snippet directory in etc and manage that set of config files, without for example one config file starting a stub section and creating parse errors in another config file with server options. The `rrset-roundrobin` option is now default to yes. This is more in line with what users expect. The KSK-2010 has been removed from our default key set output. The option `prefer-ip4` can be used to prefer ip4 over ip6 when reputation for the ip6 netblock is shared with other users. There is also a dnstap implementation inside Unbound. This removes the dependency on the libfstrm library. The protobuf library is still used. The fstrm protocol code resides in `dnstap/dnstap_fstrm.h` and `dnstap/dnstap_fstrm.c`. This contains a brief definition of what unbound needs. The `make unbound-dnstap-socket` builds a debug tool, unbound-dnstap-socket. It can listen, accept multiple DNSTAP streams and print information. Commandline options control it. Unbound can reconnect if the unix domain socket file socket is closed. This uses exponential backoff after which it uses a one second timer to throttle cpu down. There is also support to use TCP and TLS for connecting to the log server. There are new config options to turn them on, in the `dnstap` section in the man page and example config file. `dnstap-ip` with IP address of server for TCP or TLS use. `dnstap-tls` to turn on TLS. And `dnstap-tls-server-name`, `dnstap-tls-cert-bundle`, `dnstap-tls-client-key-file` and `dnstap-tls-client-cert-file` to configure the certificates for server authentication and client authentication, or leave at `""` to not use that. With `dnstap-bidirectional` the frame streams can be set to bidirectional or unidirectional connection mode. Features - Merge NLnetLabs#225 from akhait: KSK-2010 has been revoked. It removes the KSK-2010 from the default list in unbound-anchor, now that the revocation period is over. KSK-2017 is the only trust anchor in the shipped default now. - Merge PR NLnetLabs#93: Add dynamic library support. - Introduce 'include-toplevel:' configuration option. - Change default value for 'rrset-roundrobin' to yes. - Add SNI support on more TLS connections (fixes NLnetLabs#193). - Add SNI support to unbound-anchor. - Merge PR NLnetLabs#164: Framestreams, this branch implements dnstap connectivity in unbound. This has a number of new features. The dependency on libfstrm is removed. The fstrm protocol code resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This contains a brief definition of what unbound needs. The make unbound-dnstap-socket builds a debug tool, unbound-dnstap-socket. It can listen, accept multiple DNSTAP streams and print information. Commandline options control it. Unbound can reconnect if the unix domain socket file socket is closed. This uses exponential backoff after which it uses a one second timer to throttle cpu down. There is also support to use TCP and TLS for connecting to the log server. There are new config options to turn them on, in the dnstap section in the man page and example config file. dnstap-ip with IP address of server for TCP or TLS use. dnstap-tls to turn on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle, dnstap-tls-client-key-file and dnstap-tls-client-cert-file to configure the certificates for server authentication and client authentication, or leave at "" to not use that. - Fix NLnetLabs#165: Add prefer-ip4: yesno config option to prefer ipv4 for using ipv4 filters, because the hosts ip6 netblock /64 is not owned by one operator, and thus reputation is shared. Bug Fixes - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for different openssl versions. - Merge PR NLnetLabs#166: Fix typo in unbound.service.in, by glitsj16. - Fix NLnetLabs#169: Fix warning for daemon/remote.c output may be truncated from snprintf. - Fix NLnetLabs#170: Fix gcc undefined sanitizer signed integer overflow warning in signature expiry RFC1982 serial number arithmetic. - Fix more undefined sanitizer issues, in respip copy_rrset null dname, and in the client_info_compare routine for null memcmp. - Merge PR NLnetLabs#171: Add additional compilers and platforms to Travis testing, by noloader. - Merge PR NLnetLabs#173: updated makedist.sh for config.guess and config.sub and sha256 digest for gpg, by noloader. - Merge PR NLnetLabs#172: Add IBM s390x arch for testing, by noloader. - Fix NLnetLabs#177: dnstap does not build on macOS. - Fix compiler warning in dns64/dns64.c - Merge PR NLnetLabs#174: Add Android to Travis testing, by noloader. - Move android build scripts to contrib/ and allow android tests to fail. - Fix NLnetLabs#175, Merge PR NLnetLabs#176: fix link error when OpenSSL is configured with no-engine, thanks noloader. - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01). - Merge PR NLnetLabs#180 from noloader: Avoid calling exit in Travis script. - Merge PR NLnetLabs#181 from noloader: Fix OpenSSL -pie warning on Android. - Update README-Travis.md (from PR NLnetLabs#179), by Jeffrey Walton. - Fix PR NLnetLabs#182 from noloader: Add iOS testing to Travis. - Merge PR NLnetLabs#186, fix NLnetLabs#183: Fix unrecognized 'echo -n' option on OS X, by noloader - Fix NLnetLabs#188: unbound-control.c:882:6: error: 'execlp' is unavailable: not available on tvOS. - Fix NLnetLabs#189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete type, by noloader. - Add check to make sure RPZ records are subdomains of configured zone origin. - Fix NLnetLabs#192: In the unbound-checkconf tool, the module config of dns64 subnetcache respip validator iterator is whitelisted, it was reported it seems to work. - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton. - Fix NLnetLabs#158: open tls-session-ticket-keys as binary, for Windows. By Daisuke HIGASHI. - Merge PR#134, Allow the kernel to provide random source ports. By Florian Obser. - Log warning when using outgoing-port-permit and outgoing-port-avoid while explicit port randomisation is disabled. - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton. - Fix .travis.yml error, missing 'env' option. - Merge PR NLnetLabs#197 from fobser: Make log_ident_revert_to_default() a proper prototype. - Merge PR NLnetLabs#198 from fobser: Declare lz_enter_rr_into_zone() static, it's only used in this file. - Fix compile on Solaris for unbound-checkconf. - Fix compile of test tools without protobuf. - Merge PR NLnetLabs#200 from yarikk: add ip-dscp option to specify the DSCP tag for outgoing packets. - Travis fix for ios by omitting tools from install. - Merge PR NLnetLabs#201 from noloader: Fix OpenSSL cross-compaile warnings. - Fix RPZ concurrency issue when using auth_zone_reload. - Make unbound-control error returned on missing domain name more user friendly. - Merge PR NLnetLabs#203 from noloader: Update README-Travis.md with current procedures. - Merge PR NLnetLabs#207: Clarify if-automatic listens on 0.0.0.0 and :: - Merge PR NLnetLabs#208: Fix uncached CLIENT_RESPONSE'es on stateful transports. - Merge PR NLnetLabs#206: Redis TTL, by Talkabout. - More documentation for redis-expire-records option. - Keep track of number of timeouts. Use this counter to determine if capsforid fallback should be started. - Merge PR NLnetLabs#214 from gearnode: unbound-control-setup recreate certificates. With the -r option the certificates are created again, without it, only the files that do not exist are created. - Fix NLnetLabs#220: auth-zone section in config may lead to segfault. - Fix help return code in unbound-control-setup script. - Fix for posix shell syntax for trap in nsd-control-setup. - Fix for posix shell syntax for trap in run_msg.sh test script. - Add doxygen documentation for DSCP. - Fix NLnetLabs#222: --enable-rpath, fails to rpath python lib. - Fix for count of reply states in the mesh. - Remove unneeded was_mesh_reply check. - Explicitly use 'rrset-roundrobin: no' for test cases. - Cache ECS answers with longest scope of CNAME chain. - windows compile warnings removal for ip dscp option code. - Fix for integer overflow when printing RDF_TYPE_TIME. - Update contrib/aaaa-filter-iterator.patch for the recent generate_sub_request() change and to apply cleanly. - Merge PR NLnetLabs#241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use "Requires:". - Mention tls name possible when tls is enabled for stub-addr in the man page. - Fix default explanation in man page for qname-minimisation-strict. - Fix display of event loop method with libev. - iana portlist updated. - Move reply list clean for serve expired mesh callback to after the reply is sent, so that script callbacks have reply_info. - Also move reply list clean for mesh callbacks to the scrip callback can see the reply_info. - Fix for mesh accounting if the reply list already empty to begin with. - Fix for mesh accounting when rpz decides to drop a reply with a tcp stream waiting for it. - Review fix for number of detached states due to use of variable after end of loop. - Fix tcp req info drop due to size call into mesh accounting removal of mesh state during mesh send reply. - Fix NLnetLabs#259: Fix unbound-checkconf does not check view existence. unbound-checkconf checks access-control-view, access-control-tags, access-control-tag-actions and access-control-tag-datas. - Fix offset of error printout for access-control-tag-datas. - Fix add missing DSA header, for compilation without deprecated OpenSSL APIs. - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL 3.0.0-alpha4. - Longer keys for the test set, this avoids weak crypto errors. - Add bidirectional frame streams support. - Fix check conf test for referencing installation paths. - Fix unused variable warning for clang analyzer. - Merge PR NLnetLabs#234 - Ensure proper alignment of cmsg buffers by Jérémie Courrèges-Anglas. - Fix PR NLnetLabs#234 log_assert sizeof to use union buffer. - Fix libnettle compile for session ticket key callback function changes. - Fix lock dependency cycle in rpz zone config setup. - Fix streamtcp to print packet data to stdout. This makes the stdout and stderr not mix together lines, when parsing its output. - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes due to added libdynmod, but it does not compile, it conflicts with new rpz code.
Unbound 1.10.1 This release fixes CVE-2020-12662 and CVE-2020-12663. Bug Fixes: - CVE-2020-12662 Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target. - CVE-2020-12663 Malformed answers from upstream name servers can be used to make Unbound unresponsive.
PreviousNext