2009年11月30日

[installer 2158] unbound-1.4.0

unbound-1.4.0 出ています。

☆ unbound-1.4.0
http://unbound.net/
http://unbound.net/downloads/unbound-1.4.0.tar.gz

http://www.unbound.net/download.html より:

Unbound 1.4.0

Download: unbound-1.4.0.tar.gz
SHA1 checksum: ad5fe28826bfc0baa5b63988361dda7e8dabfb4d
SHA256 checksum: 3f67ecda501d74d8cc9e5c0aa0bcd25c4e03f09ad8e339de643333307ced9c30
Date: 26 November, 2009

Features

* RFC 5702: RSASHA256 and RSASHA512 support enabled by default. Please
use openssl 0.9.8 or later, that provide sha256 and sha512.
* included ldns tarball updated (which also enables rsasha256
support).
* val-log-level: 2 shows extended error information for validation
failures, one line per failure. For example: validation failure
<example.com. DNSKEY IN>: signature expired from 192.0.2.4 for trust
anchor example.com. while building chain of trust
* Made new validator error string available from libunbound for
applications. It is in result->why_bogus, a zero-terminated
string. unbound-host prints it by default if a result is bogus. Also
the errinf is public in module_qstate (for other modules).
* retry on DNSSEC failures, query other servers, unbound works harder
to get valid DNSSEC data.
* so-rcvbuf: 4m option added. Set this on large busy servers to not
drop the occasional packet in spikes due to full socket
buffers. netstat -su keeps a counter of UDP dropped due to full
buffers.
* auto-trust-anchor-file option with RFC5011 support, code from the
NLnet Labs autotrust project(BSD license), is incorporated. In this
way unbound can support trust anchor revocation properly, even
revocation back to the unsigned state. It can read normal anchor
files or autotrust files initially, after probing the file is
written to in a format specific to unbound.
* use linebuffering for log-file: output, this can be significantly
faster than the previous fflush method and enable some class of
resolvers to use high verbosity (for short periods). Not on windows,
because line buffering does not work there.
* Patch from Zdenek Vasicek and Attila Nagy for using the source IP
from python scripts. See pythonmod/examples/resip.py.
* Got a patch from Luca Bruno for libunbound support on windows to
pick up the system resolvconf nameservers and hosts there.
* call OPENSSL_config() in unbound and unit test so that the operator
can use openssl.cnf for configuration options.
* Experimental support (disabled by default) for GOST for unofficial
algorithm number 249 of draft-dolmatov-dnsext-dnssec-gost-01, tested
to work with openssl-1.0.0beta and correct for examples in -01
draft.
* edns-buffer-size option, default 4096. Can be set to 1480 in case of
DNS UDP fragments not arriving from authority servers.
* iana portlist updated.
* contrib/split-itar.sh from Tom Hendrikx to split anchors.mf from the
IANA ITAR into individual key files that can be tracked with
auto-trust-anchor-file.

Bug Fixes

* fixed do-udp: no (only TCP is used).
* removed abort on prealloc failure, error still printed but
* softfail.
* Fix bug where autotrust does not work when started with a DS.
* Fix double time subtraction in negative cache reported by Amanda
* Constant and Hugh Mahon.
* fix unbound-host so -d can be given before -C.
* fix DNSSEC-missing-signature detection for minimal responses for
qtype DNSKEY (assumes DNSKEY occurs at zone apex).
* fix compile of unbound-host when --enable-alloc-checks.
* Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
* Manual page fixes reported by Tony Finch.
* Fix memory leak reported by Tao Ma.
* increased MAXSYSLOGLEN so .bg key can be printed in debug output.
* Fix bug where DNSSEC-bogus messages were marked with too high
TTL. The RRsets would still expire at the normal time, but this
would keep messages bogus in the cache for too long.
* documented that load_cache is meant for debugging.
* fixup printing errors when load_cache, they were printed to the SSL
connection which had just broken, now to the log.
* Changes to make unbound work with libevent-2.0.3 alpha. (in
configure detection due to new ssl dependency in libevent).
* do not call sphinx for documentation when python is disabled.
* remove EV_PERSIST from libevent timeout code to make the code
compatible with the libevent-2.0. Works with older libevent too.
* fix memory leak in python code.
* makefile fix for parallel makes.
* fixup unbound-control lookup to print forward and stub servers.
* fixup memleak in trust anchor unsupported algorithm check.
* free all memory on program exit, fix for ssl and flex.
* fixup DS lookup at anchor point with unsigned parent.
* fixup DLV lookup for DS queries to unsigned domains.
* Fix so that servers are only blacklisted if they fail to reply to 16
queries in a row and the timeout gets above 2 minutes.
* unbound-control lookup prints out infra cache information, like
RTT.
* Fix bug in DLV lookup reported by Amanda from Secure64. It could
sometimes wrongly classify a domain as unsigned, which does not give
the AD bit on replies.
* Thanks to Surfnet found bug in new dnssec-retry code that failed to
combine well when combined with DLV and then a validation failure.
* removed small memory leak from config file reader.
* fix manpage errors reported by debian lintian.
* Fixed validation failure for CNAME to optout NSEC3 nodata answer.
* unbound-host does not fail on type ANY.
* Fixed wireparse failure to put RRSIGs together with data in some
long ANY mix cases, which fixes validation failures.
* Fixed signer detection of CNAME responses without signatures.
* [bugzilla: 282 ]
Fixed libunbound memleak on error condition by Eric Sesterhenn.

----
こがよういちろう


投稿者 xml-rpc : 2009年11月30日 14:47
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/91000
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。