Lines Matching +full:lp +full:- +full:nonsecure
2 - Merge #1265: Fix WSAPoll.
5 - Fix for print of connection type in log-replies for dot and doh.
8 - Fix to detect if atomic_store links in configure.
9 - Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
12 - Tag for 1.23.0rc1.
13 - Fix fast_reload to print chroot with config file name.
16 - Merge #902: DNS Error Reporting (RFC 9567). Introduces new
17 configuration option 'dns-error-reporting' and new statistics for
21 - Fix mesh_copy_client_info to omit null contents from copy.
22 - Fix comment name in the rpz nsdname test.
23 - Fix nettle compile for warnings and ticket keys.
24 - Fix redis_replica test for unused option defaults and log printout.
25 - Fix test to speed up common.sh script kill_pid.
26 - Fix to update common.sh for speed of kill_pid.
29 - Merge #1019: Redis read-only replica support.
30 Introduces new 'redis-replica-*' options for the Redis cache backend.
33 - Fix #1263: Exempt loopback addresses from wait-limit.
34 - Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
36 - Fix ub_event and include dnstap and win_svc headers.
37 - Fix test for stat_values for wait limit defaults for localhost.
38 - Fix parameter unused warning in net_help.c.
41 - Merge #1262 from markyang92, fix build with
42 'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
43 - For #1262, ifdef is no longer needed.
46 - Fix unbound-control test so it counts the new flush_negative output,
49 - Fix that ub_event has the facility to deal with callbacks for
50 fast reload, doq, windows-stop and dnstap.
51 - Fix fast reload test to check if pid exists before acting on it.
54 - Fix escape more characters when printing an RR type with an unquoted
56 - Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
59 - iana portlist update.
60 - Merge #1042: Fast Reload. The unbound-control fast_reload is added.
64 - Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
67 - Fix unit test dname log printout typecast.
68 - Fix for ci test, expat is installed on the osx image.
71 - Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
72 - For #1255, for ios use an older expat version that does not require
74 - For #1255, for ios disable building tests that require C++11.
75 - For #1255, for ios try the latest expat version again.
78 - Fix #1254: `send failed: Socket is not connected` and
82 - Fix #1253: Cache entries fail to be removed from Redis cachedb
83 backend with unbound-control flush* +c.
84 - Fix for #1253: Fix for redis cachedb backend to expect an integer
88 - Fix print of RR type NSAP-PTR, it is an unquoted string.
91 - Fix #1251: WSAPoll first argument cannot be NULL.
92 - Fix for windows compile create ssl contexts.
95 - Fix representation of types GPOS and RESINFO, add rdf type for
99 - Fix 'unbound-control flush_negative' when reporting removed data;
103 - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
104 Add --help output description for the SOURCE_DATE_EPOCH variable.
107 - Merge #1243: Do not shadow tm on line 236.
110 - Fix hash calculation for cachedb to ignore case. Previously, cached
115 - Fix static analysis report about unhandled EOF on error conditions
117 - Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
121 - Consider reconfigurations when calculating the still_useful_timeout
125 - Fix #986: Resolving sas.com with dnssec-validation fails though
129 - Make the default value of module-config "validator iterator"
130 regardless of compilation options. --enable-subnet would implicitly
135 - Merge #1220 from Petr Menšík, Add unbound members group access to
139 - Use the same interface listening port discovery code for all needed
141 - Port to string only when needed before getaddrinfo().
142 - Do not open unencrypted channels next to encrypted ones on the same
144 - Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
148 - Fix compile of interface check code when dnscrypt or quic is
150 - Fix encoding of RR type ATMA.
151 - Fix to check length in ATMA string to wire.
152 - Merge #1229: check before use daemon->shm_info.
155 - Merge #1222: Unique DoT and DoH SSL contexts to allow for different
157 - Create the quic SSL listening context only when needed.
160 - Merge #1221: Consider auth zones when checking for forwarders.
163 - Add resolver.arpa and service.arpa to the default locally served
167 - Fix #1213: Misleading error message on default access control causing
171 - Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
175 - Merge #1174: Serve expired cache update fixes. Fixes a regression bug
176 with serve-expired that appeared in 1.22.0 and would not allow the
177 iterator to update the cache with not-yet-validated entries resulting
181 - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
185 - Merge #1204: ci: set persist-credentials: false for actions/checkout
189 - Merge #1189: Fix the dname_str method to cause conversion errors
191 - Merge #1197: dname_str() fixes.
192 - For #1175, the default value of serve-expired-ttl is set to 86400
194 - Merge #1198: Fix log-servfail with serve expired and no useful cache
196 - Safeguard alias loop while looking in the cache for expired answers.
197 - Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
199 - Fix typo in log_servfail.tdir test.
202 - Fix #1175: serve-expired does not adhere to secure-by-default
203 principle. The default value of serve-expired-client-timeout
205 - For #1175, update serve-expired tests.
208 - Fix comparison to help static analyzer.
211 - Merge #1169 from Sergey Kacheev, fix: lock-free counters for
215 - Fix #1183: the data being used is released in method
217 - Fix for #1183: release nsec3 hashes per test file.
220 - More descriptive text for 'harden-algo-downgrade'.
221 - Complete fix for max-global-quota to 200.
224 - Increase the default of max-global-quota to 200 from 128 after
229 - Fix for the serve expired DNSSEC information fix, it would not allow
234 - Fix to log redis timeout error string on failure.
237 - Fix SETEX check during Redis (re)initialization.
240 - Fix redis that during a reload it does not fail if the redis
243 - Merge #1167: Makefile.in: fix occasional parallel build failures
247 - Merge #1159: Stats for discard-timeout and wait-limit.
248 - Add test case for #1159.
249 - Some clean up for stat_values.test.
250 - Merge #1170 from Melroy van den Berg, Fix chroot manpage
252 - Merge #1157 from Liang Zhu, Fix heap corruption when calling
256 - Fix #1163: Typos in unbound.conf documentation.
259 - Tag for 1.22.0 release. This did not contain the 1154 fix
264 - Fix for dnsoverquic and dnstap to use the correct dnstap
268 - Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
269 - Fix #1154: Tag Incorrectly Applying for Other Interfaces
273 - Fix to display warning if quic-port is set but dnsoverquic is not
275 - Fix dnsoverquic to extend the number of streams when one is closed.
278 - Fix to disable detection of quic configured ports when quic is
280 - Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
281 - Fix contrib/aaaa-filter-iterator.patch for change in call
285 - Fix cookie_file test sporadic fails for time change during
287 - Fix add reallocarray to alloc stats unit test, and disable
288 override of strdup in unbound-host, and the result of config
290 - Tag for 1.22.0rc1.
293 - Merge #871: DNS over QUIC. This adds `quic-port: 853` and
294 `quic-size: 8m` that enable dnsoverquic, and the counters
297 with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
298 pass that with `--with-ssl=path` to compile unbound as well.
299 - Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
301 - Fix for dnstap compile of doqclient with doq disabled.
304 - Fix #1149: unbound-control-setup hangs sometimes depending on
306 - Fix #1128: Cannot override tcp-upstream and tls-upstream with
307 forward-tcp-upstream and forward-tls-upstream.
310 - Fix CVE-2024-8508, unbounded name compression could lead to denial
312 - This fix was part of 1.21.1, a security point release on 1.21.0.
317 - Fix negative cache NSEC3 parameter compares for zero length NSEC3
319 - Fix unbound dnstap socket test program analyzer warnings about
323 - Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
324 This adds the option `log-time-iso: yes` that logs in ISO8601
328 - Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
329 - More clear text for prefetch and minimal-responses in the
331 - Merge #1143: Fix cache update when serve expired is used. Expired
333 serve-expired is used.
336 - Fix dns64 with prefetch that the prefetch is stored in cache.
339 - Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
344 - Add redis-command-timeout: 20 and redis-connect-timeout: 200,
347 specified, the redis-timeout value is used.
350 - Merge #1140: Fix spelling mistake in comments.
353 - Fix and add comments in testdata/val_negcache_ttl.rpl.
356 - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
358 - Add unit test for ttl limit for aggressive nsec.
361 - Fix alloc-size and calloc-transposed-args compiler warnings.
362 - Fix comment to not trigger doxygen unknown command.
365 - Fix config file read for dnstap-sample-rate.
368 - Merge #1135: Add new IANA trust anchor.
371 - Merge #1132: b.root renumbering.
372 - Fix for #1132, adjusted unit test for change in the test file.
373 - Fix for #1132, comment about adjusted copy of reference check.
376 - Unit test for auth zone transfer TLS, and TLS failure.
377 - Fix to print port number in logs for auth zone transfer activities.
380 - Fix that when rpz is applied the message does not get picked up by
382 - Fix that stub-zone and forward-zone clauses do not exhaust memory
386 - Fix #1130: Loads of logs: "validation failure: key for validation
388 non-DNSSEC signed zone.
391 - Merge patch to fix for glue that is outside of zone, with
392 `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
397 - Fix #1127: error: "memory exhausted" when defining more than 9994
398 local-zones.
399 - Fix documentation for cache_fill_missing function.
402 - Add cross platform freebsd, openbsd and netbsd to github ci.
403 - Fix for char signedness warnings on NetBSD.
406 - Add iter-scrub-ns, iter-scrub-cname and max-global-quota
410 - Fix #1126: unbound-control-setup hangs while testing for openssl
414 - Fix spelling for the cache-min-negative-ttl entry in the
416 - Tag for release 1.21.0, the repository continues with 1.21.1
420 - Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco
422 - Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,
423 Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
425 - Set version number to 1.21.0 for release. This has tag 1.21.0rc1.
426 - Fix that for windows the module startup is called and sets up
427 the module-config.
430 - Fix that alloc stats has strdup checks, it stops debuggers from
432 - Fix testbound for alloc stats strdup in util/alloc.c.
433 - Merge #1090: Cookie secret file. Adds
434 `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store
439 - Fix that alloc stats for forwards and hints are printed, and when
444 - Fix dnstap test program, cleans up to have clean memory on exit,
448 free. Added internal unit test to unbound-dnstap-socket for that.
449 - Fix that the worker mem report with alloc stats does not attempt
454 - Fix for #1114: Fix that cache fill for forward-host names is
455 performed, so that with nonzero target-fetch-policy it fetches
464 - Fix to document parameters of auth_zone_verify_zonemd_with_key.
467 - Add root key 38696 from 2024 for DNSSEC validation. It is added
468 to the default root keys in unbound-anchor. The content can be
469 inspected with `unbound-anchor -l`.
472 - Fix #1106: ratelimit-below-domain logs the wrong FROM address.
473 - Cleanup ede.tdir test.
474 - For #935 and #1104, clarify RPZ order and semantics.
477 - Merge #1110: Make fallthrough explicit for libworker.c.
478 - For #1110: Test for fallthrough attribute in configure and add
480 - Fix compile when the compiler does not support the noreturn
482 - Fix to have empty definition when not supported for weak attribute.
483 - Fix uninitialized variable warning in create_tcp_accept_sock.
484 - Fix link of dnstap without openssl.
485 - Fix link of unbound-dnstap-socket without openssl.
488 - Add dnstap-sample-rate that logs only 1/N messages, for high volume
490 - Fix dnstap wakeup, a running wakeup timer is left to expire and not
497 - For #1103: Fix to drop mesh state reference for the http2 stream
503 - For #1103: fix to also drop mesh state reference when the discard
508 - Add RPZ tag tests in acl_interface.tdir.
509 - For #1102: clearer text for using interface-* options for the
513 - Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
514 - For #1103: fix to also drop mesh state reference when a h2 reply is
518 - For #773: In contrib/unbound.service.in set unbound to start after
519 network-online.target. Also for contrib/unbound_portable.service.in.
522 - Update list of known EDE codes.
525 - Fix that validation reason failure that uses string print uses
527 - Fixup algo_needs_reason string buffer length.
528 - Fix shadowed error string variable in validator dnskey handling.
531 - Don't check for message TTL changes if the RRsets remain the same.
534 - Fix for neater printout for error for missing DS response.
535 - Fix neater printout.
536 - Fix #1099: Unbound core dump on SIGSEGV.
537 - Fix for #1099: Fix to check for deleted RRset when the contents
542 - Fix to print details about the failure to lookup a DNSKEY record
547 - Fix for repeated use of a DNAME record: first overallocate and then
552 - Fix #144: Port ipset to BSD pf tables.
553 - Add unit test skip files and bison and flex output to gitignore.
554 - Fix to use modstack_init in zonemd unit test.
555 - Fix to remove unneeded linebreak in fptr_wlist.c.
556 - Fix compile warnings in fptr_wlist.c.
559 - Fix to remove unused include from the readzone test program.
560 - Fix unused variable warning in do_cache_remove.
561 - Fix compile warning in worker pthread id printout.
564 - Fix ip-ratelimit-cookie setting, it was not applied.
567 - Explicitly set the RD bit for the mesh query flags when prefetching.
572 - Fix pkg-config availability check in dnstap/dnstap.m4 and
576 - Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by
578 the default pkg-config unavailability error message to be shown.
581 - Fix #1091: Build fails with OpenSSL >= 3.0 built with
585 - Add unit test for validation of repeated use of a DNAME record.
588 - Fix memory leak in setup of dsa sig.
589 - Fix typos for 'the the' in text.
590 - Fix validation for repeated use of a DNAME record.
593 - Merge #1080: AddressSanitizer detection in tdir tests and memory leak
595 - Fix memory leak when reload_keep_cache is used and num-threads
597 - Fix memory leak on exit for unbound-dnstap-socket; creates false
601 - Fix to squelch connection reset by peer errors from log. And fix
605 - Fix #1079: tags from tagged rpz zones are no longer honored after
607 - Fix for #1079: fix RPZ taglist in iterator callback that no client
611 - Merge #1078: Only check old pid if no username.
614 - Fix to enable that SERVFAIL is cached, for a short period, for more
616 - Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
619 - Fix unused variable warning on compilation with no thread support.
620 - unbound-control-setup: check openssl availability before doing
622 - Update patch to remove 'command' shell builtin and update error
626 - Fix #1064: Unbound 1.20 Cachedb broken?
629 - Fix #1059: Intermittent DNS blocking failure with local-zone and
631 unbound-control was not finding the zone's parent correctly.
634 - Merge #1073: fix null pointer dereference issue in function
636 - Fix to print a parse error when config is read with no name for
637 a forward-zone, stub-zone or view.
638 - Fix for parse end of forward-zone, stub-zone and view.
639 - Fix for #1064: Fix that cachedb expired messages are considered
643 - Merge #1069: Fix unbound-control stdin commands for multi-process
645 - Fix unbound-control commands that read stdin in multi-process
649 are no longer supported in multi-process operation.
650 - Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir
654 - Merge #1070: Fix rtt assignement for low values of
655 infra-cache-max-rtt.
658 - Fix #1071: [FR] Clear both in-memory and cachedb module cache with
659 `unbound-control flush*` commands.
662 - Add missing common functions to tdir tests.
665 - Fix when the mesh jostle is exceeded that nameserver targets are
670 - Fix to squelch udp connect errors in the log at low verbosity about
674 - Merge #1062: Fix potential overflow bug while parsing port in
676 - Fix for #1062: declaration before statement, avoid print of null,
680 - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
683 - Set version number to 1.20.0 for release. This became the release
687 - Cleanup unnecessary strdup calls for EDE strings.
690 - Fix doxygen comment for errinf_to_str_bogus.
693 - Fix cachedb with serve-expired-client-timeout disabled. The edns
695 stores a result, and serve-expired is enabled, so that the global
698 - Add unit tests for cachedb and subnet cache expired data.
699 - Man page entry for unbound-checkconf -q.
702 - Fix #876: [FR] can unbound-checkconf be silenced when configuration
706 - Fix configure flto check error, by finding grep for it.
707 - Merge #1041: Stub and Forward unshare. This has one structure
710 - Fix to disable fragmentation on systems with IP_DONTFRAG,
712 - Fix doc unit test for out of directory build.
715 - Fix ci workflow for macos for moved install locations.
718 - Merge #1053: Remove child delegations from cache when grandchild
722 - Add checklock feature verbose_locking to trace locks and unlocks.
723 - Fix edns subnet to sort rrset references when storing messages
727 - Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
728 - Fix configure, autoconf for #1048.
731 - Merge #1049 from Petr Menšík: Py_NoSiteFlag is not needed since
735 - Fix cachedb for serve-expired with serve-expired-client-timeout.
736 - Fixup unit test for cachedb server expired client timeout with
738 - Fixup cachedb to not refetch when serve-expired-client-timeout is
742 - Implement cachedb-check-when-serve-expired: yes option, default
745 - Fixup compile without cachedb.
746 - Add test for cachedb serve expired.
747 - Extended test for cachedb serve expired.
748 - Fix makefile dependencies for fake_event.c.
749 - Fix cachedb for serve-expired with serve-expired-reply-ttl.
750 - Fix to not reply serve expired unless enabled for cachedb.
753 - Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates
754 config.guess(2024-01-01) and config.sub(2024-01-01), verified
758 - Fix #595: unbound-anchor cannot deal with full disk; it will now
760 like Unbound already does for auto-trust-anchor-file.
763 - Fix comment syntax for view function views_find_view.
766 - Merge #1027: Introduce 'cache-min-negative-ttl' option.
769 - Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports
771 - For #1040: adjust error text and disallow negative ports in other
775 - Fix #1035: Potential Bug while parsing port from the "stub-host"
776 string; also affected forward-zones and remote-control host
778 - Fix #369: dnstap showing extra responses; for client responses
783 - Fix #1034: DoT forward-zone via unbound-control.
784 - Fix for crypto related failures to have a better error string.
787 - Fix name of unit test for subnet cache response.
788 - Fix #1032: The size of subnet_msg_cache calculation mistake cause
790 - Fix for #1032, add safeguard to make table space positive.
791 - Fix comment in lruhash space function.
792 - Fix to add unit test for lruhash space that exercises the routines.
793 - Fix that when the server truncates the pidfile, it does not follow
795 - Fix that the server does not chown the pidfile.
798 - Merge #831 from Pierre4012: Improve Windows NSIS installer
800 - For #831: Format text, use exclamation icon and explicit label
804 - Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that
806 - Fix localdata and rpz localdata to match CNAME only if no direct
810 - Fix that rpz CNAME content is limited to the max number of cnames.
811 - Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets
813 - Fix rpz that copies the cname override completely to the temp
815 - Add rpz unit test for nsip action override.
816 - Fix rpz for qtype CNAME after nameserver trigger.
819 - Merge #1030: Persist the openssl and expat directories for repeated
823 - Fix that addrinfo is not kept around but copied and freed, so that
824 log-destaddr uses a copy of the information, much like NSD does.
827 - Fix #1029: rpz trigger clientip and action rpz-passthru not working
829 - Fix rpz that the rpz override is taken in case of clientip triggers.
833 - Fix to unify codepath for local alias for rpz cname action override.
834 - Fix rpz for cname override action after nsdname and nsip triggers.
837 - Merge #1028: Clearer documentation for tcp-idle-timeout and
838 edns-tcp-keepalive-timeout.
841 - Fix #1021 Inconsistent Behavior with Changing rpz-cname-override
842 and doing a unbound-control reload.
845 - Fix unbound-control-setup.cmd to use 3072 bits so that certificates
848 - Fix TTL of synthesized CNAME when a DNAME is used from cache. This
850 - Remove unused portion from iter_dname_ttl unit test.
851 - Fix validator classification of qtype DNAME for positive and
855 - Fix qname minimisation for reply with a DNAME for qtype CNAME that
857 - Fix doc test so it ignores but outputs unsupported doxygen options.
858 - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
859 like unbound-control-setup.sh has. This fix is included in 1.19.3rc2.
862 - Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
866 - Version set to 1.19.3 for release. After 1.19.2 point release with
867 security fix for CVE-2024-1931, Denial of service when trimming
873 - Fix for #1022: Fix ede prohibited in access control refused answers.
876 - Fix edns subnet replies for scope zero answers to not get stored
881 - Move github workflows to use checkoutv4.
884 - Document the suspend argument for process_ds_response().
887 - Fix trim of EDE text from large udp responses from spinning cpu.
890 - Merge #1010: Mention REFUSED has the TC bit set with unmatched
896 - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited
898 - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
899 - These fixes are part of the 1.19.1 release, that is a security
904 - Fix documentation for access-control in the unbound.conf man page.
907 - Fix #1006: Can't find protobuf-c package since #999.
910 - Merge #999: Search for protobuf-c with pkg-config.
913 - Update message TTL when using cached RRSETs. It could result in
914 non-expired messages with expired RRSETs (non-usable messages by
918 - Update error printout for duplicate trust anchors to include the
922 - Fix for #997: Print details for SSL certificate failure.
925 - Update workflow for ports to use newer openssl on windows compile.
926 - Fix warning for windres on resource files due to redefinition.
929 - Fix to link with libssp for libcrypto and getaddrinfo check for
931 - Merge #993: Update b.root-servers.net also in example config file.
934 - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
937 - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
940 - Merge #987: skip edns frag retry if advertised udp payload size is
942 - Fix unit test for #987 change in udp1xxx retry packet send.
945 - Remove unneeded newlines and improve indentation in remote control
949 - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
950 for non-HTTP/2 DoH clients.
951 - Merge #985: Add DoH and DoT to dnstap message.
952 - Fix #983: Sha1 runtime insecure change was incomplete.
955 - Update example.conf with cookie options.
958 - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
962 - Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
966 - Fix #974: doc: default number of outgoing ports without libevent.
967 - Merge #975: Fixed some syntax errors in rpl files.
970 - Fix to sync the tests script file common.sh.
971 - iana portlist update.
972 - Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
973 - Update test script file common.sh.
974 - Fix tests to use new common.sh functions, wait_logfile and
978 - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
979 - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
980 - Fix dnstap that assertion failed on logging other than UDP and TCP
984 - Merge #968: Replace the obsolescent fgrep with grep -F in tests.
987 - Fix #964: config.h.in~ backup file in release tar balls.
990 - Use 127.0.0.1 explicitly in tests to avoid delays and errors on
994 - Fix unit test parse of origin syntax.
997 - Set version number to 1.19.0.
998 - Tag for 1.19.0rc1 release. It became 1.19.0 release on 8 nov 2023.
1002 - Mention flex and bison in README.md when building from repository
1006 - Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
1007 - Fix SSL compile failure for other missing definitions in
1009 - Fix compilation without openssl, remove unused function warning.
1012 - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with
1016 - Merge #930 from Stuart Henderson: add void to
1020 - autoconf.
1023 - Clearer configure text for missing protobuf-c development libraries.
1026 - Merge #951: Cachedb no store. The cachedb-no-store: yes option is
1032 - Fix to print detailed errors when an SSL IO routine fails via
1036 - Mailing list patches from Daniel Gröber for DNS64 fallback to plain
1039 - Fixes for the DNS64 patches.
1040 - Update the dns64_lookup.rpl test for the DNS64 fallback patch.
1041 - Merge #955 from buevsan: fix ipset wrong behavior.
1042 - Update testdata/ipset.tdir test for ipset fix.
1045 - Fix #954: Inconsistent RPZ handling for A record returned along with
1049 - Expose the script filename in the Python module environment 'mod_env'
1052 - Expose the configured listening and outgoing interfaces, if any, as
1055 - For multi Python module setups, clean previously parsed module
1060 - Better fix for infinite loop when reading multiple lines of input on
1065 - Merge #944: Disable EDNS DO.
1071 is disable-edns-do: no
1074 - Fix #850: [FR] Ability to use specific database in Redis, with new
1075 redis-logical-db configuration option.
1078 - Fix #949: "could not create control compt".
1079 - Fix that cachedb does not warn when serve-expired is disabled about
1080 use of serve-expired-reply-ttl and serve-expired-client-timeout.
1081 - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
1084 - Fix infinite loop when reading multiple lines of input on a broken
1088 - Fix edns subnet so that queries with a source prefix of zero cause
1090 - Fix that printout of EDNS options shows the EDNS cookie option by
1094 - Fix #946: Forwarder returns servfail on upstream response noerror no
1098 - Merge #881: Generalise the proxy protocol code.
1101 - Fix misplaced comment.
1104 - Fix #942: 1.18.0 libunbound DNS regression when built without
1108 - Fix rpz tcp-only action with rpz triggers nsdname and nsip.
1111 - Merge #936: Check for c99 with autoconf versions prior to 2.70.
1112 - Fix to remove two c99 notations.
1115 - Fix authority zone answers for obscured DNAMEs and delegations.
1118 - Fix send of udp retries when ENOBUFS is returned. It stops looping
1123 - Fix to scrub resource records of type A and AAAA that have an
1125 - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
1126 - Fix to add EDE text when RRs have been removed due to length.
1127 - Fix to set ede match in unit test for rr length removal.
1128 - Fix to print EDE text in readable form in output logs.
1131 - Merge #931: Prevent warnings from -Wmissing-prototypes.
1134 - Fix autoconf 2.69 warnings in configure.
1135 - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
1138 - Fix for WKS call to getservbyname that creates allocation on exit
1143 - Fix for version generation race condition that ignored changes.
1146 - Fix compile error on NetBSD in util/netevent.h.
1149 - Tag for 1.18.0rc1 release. This became the 1.18.0 release on
1154 - Set version number to 1.18.0.
1157 - Debug Windows ci workflow.
1158 - Fix windows ci workflow to install bison and flex.
1159 - Fix for #925: unbound.service: Main process exited, code=killed,
1161 - Fix #923: processQueryResponse() THROWAWAY should be mindful of
1163 - Fix unit test for unbound-control to work when threads are disabled,
1167 - Fix for iter_dec_attempts that could cause a hang, part of
1169 - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
1170 - Fix stat_values test to work with dig that enables DNS cookies.
1173 - Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
1176 `answer-cookie: yes`. A `cookie-secret:` can be configured for
1181 `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
1183 - Fix regional_alloc_init for potential unaligned source of the copy.
1184 - Fix ip_ratelimit test to work with dig that enables DNS cookies.
1187 - Move a cache reply callback in worker.c closer to the cache reply
1191 - Merge #911 from natalie-reece: Exclude EDE before other EDNS options
1193 - For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
1195 - More braces and formatting for Fix for EDNS EDE size calculation to
1197 - Fix to use the now cached EDE, if any, for CD_bit queries.
1200 - Fix for EDNS EDE size calculation.
1203 - Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
1207 - iana portlist update.
1210 - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
1213 - Fix unused variable compile warning for kernel timestamps in
1217 - Merge #857 from eaglegai: fix potential memory leaks when errors
1219 - For #857: fix mixed declarations and code.
1220 - Merge #118 from mibere: Changed verbosity level for Redis init &
1222 - Merge #390 from Frank Riley: Add missing callbacks to the python
1224 - Cleaner failure code for callback functions in interface.i.
1225 - Merge #889 from borisVanhoof: Free memory in error case + remove
1227 - For #889: use netcat-openbsd instead of netcat-traditional.
1228 - For #889: Account for num_detached_states before possible
1232 - Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
1234 - For #909: Fix return values.
1235 - Merge #901 from Sergei Trofimovich: config: improve handling of
1239 - For #909: Fix RR class comparison.
1242 - More clear description of the different auth-zone behaviors on the
1246 - Merge #880 from chipitsine: services/authzone.c: remove redundant
1250 - Merge #664 from tilan7763: Add prefetch support for subnet cache
1252 - For #664: Easier code flow for subnetcache prefetching.
1253 - For #664: Add testcase.
1254 - For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
1258 - Merge #739: Add SVCB dohpath support.
1259 - Code cleanup for sldns_str2wire_svcparam_key_lookup.
1260 - Merge #802: add validation EDEs to queries where the CD bit is set.
1261 - For #802: Cleanup comments and add RCODE check for CD bit test case.
1262 - Skip the 00-lint test. splint is not maintained; it either does not
1267 - Fix #906: warning: ‘Py_SetProgramName’ is deprecated.
1268 - Fix dereference of NULL variable warning in mesh_do_callback.
1271 - More fixes for reference counting for python module and clean up
1273 - Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
1277 - Fix python modules with multiple scripts, by incrementing reference
1281 - Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
1283 - Remove warning about unknown cast-function-type warning pragma.
1286 - Merge #903: contrib: add yocto compatible init script.
1289 - Fix for issue #887 (Timeouts to forward servers on BSD based
1291 - Probably fixes #516 (Stream reuse does not work on Windows) as well
1294 - Properly handle all return values of worker_check_request during
1296 - Do not check the incoming request more than once.
1299 - Merge #896: Fix: #895: pythonmodule: add all site-packages
1301 - Fix #895: python + sysconfig gives ANOTHER path comparing to
1303 - Fix for uncertain unit test for doh buffer size events.
1306 - Fix unbound-dnstap-socket printout when no query is present.
1307 - Fix unbound-dnstap-socket time fraction conversion for printout.
1310 - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
1311 - Fix to remove unused variables from RPZ clientip data structure.
1314 - Fix #888: [FR] Use kernel timestamps for dnstap.
1315 - Fix to print debug log for ancillary data with correct IP address.
1318 - Fix warning in windows compile, in set_recvtimestamp.
1321 - Fix #885: Error: util/configlexer.c: No such file or directory,
1323 - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
1324 - Fix doxygen in addr_to_nat64 header definition.
1327 - Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
1328 - For #722: minor fixes, formatting, refactoring.
1331 - Fix RPZ IP responses with trigger rpz-drop on cache entries, that
1335 - Fix issue #860: Bad interaction with 0 TTL records and serve-expired
1338 - Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
1339 sock-queue-timeout option that drops packets that have been in the
1342 - Fix for #882: small changes, date updated in Copyright for
1345 - Fix for #882: document variable to stop doxygen warning.
1348 - Fix for #878: Invalid IP address in unbound.conf causes Segmentation
1352 - Merge #875: change obsolete txt URL in unbound-anchor.c to point
1356 - Fix build badge, from failing travis link to github ci action link.
1359 - Fix for #870: Add test case for the qname minimisation and CNAME.
1362 - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
1366 - Fix issue #676: Unencrypted query is sent when
1367 forward-tls-upstream: yes is used without tls-cert-bundle
1368 - Extra consistency check to make sure that when TLS is requested,
1372 - Fix issue #851: reserved identifier violation
1375 - iana portlist update.
1378 - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
1382 - Fix ssl.h include brackets, instead of quotes.
1385 - Fix unbound-dnstap-socket test program to reply the finish frame
1389 - Fix for #852: Completion of error handling.
1392 - Fix #825: Unexpected behavior with client-subnet-always-forward
1393 and serve-expired
1396 - Clean up iterator/iterator.c::error_response_cache() and allow for
1397 better interaction with serve-expired, prefetch and cached error
1401 - Allow TTL refresh of expired error responses.
1402 - Add testcase for refreshing expired error responses.
1405 - Fix to ignore entirely empty responses, and try at another authority.
1409 - Fix unit tests for spurious empty messages.
1410 - Fix consistency of unit test without roundrobin answers for the
1412 - Fix to git ignore the library symbol file that configure can create.
1415 - Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
1418 - Add duration variable for speed_local.test.
1421 - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
1424 - Fix #833: [FR] Ability to set the Redis password.
1427 - Fix #835: [FR] Ability to use Redis unix sockets.
1430 - Merge #819: Added new static zone type block_a to suppress all A
1434 - Set max-udp-size default to 1232. This is the same default value as
1435 the default value for edns-buffer-size. It restricts client edns
1440 - Add harden-unknown-additional option. It removes
1443 - Set default for harden-unknown-additional to no. So that it does
1445 - Fix test for new default.
1448 - Fix not following cleared RD flags potentially enables amplification
1454 - Merge #826: Аdd a metric about the maximum number of collisions in
1456 - Improve documentation for #826, describe the large collisions amount.
1459 - Fix python module install path detection.
1460 - Fix python version detection in configure.
1463 - Fix #823: Response change to NODATA for some ANY queries since
1465 - Fix wildcard in hyperlocal zone service degradation, reported
1471 - Tag for 1.17.1 release.
1474 - Fix windows compile for libunbound subprocess reap comm point closes.
1475 - Update github workflows to use checkout v3.
1478 - Merge #569 from JINMEI Tatuya: add keep-cache option to
1479 'unbound-control reload' to keep caches.
1482 - Expose 'statistics-inhibit-zero' as a configuration option; the
1484 - Expose 'max-sent-count' as a configuration option; the
1486 - Merge #461 from Christian Allred: Add max-query-restarts option.
1491 - Merge #808: Wrap Makefile script's directory variables in quotes.
1492 - Fix to wrap Makefile scripts directory in quotes for uninstall.
1495 - Fix #773: When used with systemd-networkd, unbound does not start
1496 until systemd-networkd-wait-online.service times out.
1499 - Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
1500 - Clear documentation for interactivity between the subnet module and
1501 the serve-expired and prefetch configuration options.
1504 - Fix #782: Segmentation fault in stats.c:404.
1507 - Fix for the ignore of tcp events for closed comm points, preserve
1511 - Merge #720 from jonathangray: fix use after free when
1515 - Ignore expired error responses.
1518 - Fix #779: [doc] Missing documention in ub_resolve_event() for
1522 - Complementary fix for distutils.sysconfig deprecation in Python 3.10
1526 - Fix to ignore tcp events for closed comm points.
1527 - Fix to make sure to not read again after a tcp comm point is closed.
1528 - Fix #775: libunbound: subprocess reap causes parent process reap
1530 - iana portlist update.
1533 - Merge #767 from jonathangray: consistently use IPv4/IPv6 in
1537 - Fix that cachedb does not store failures in the external cache.
1540 - Clarify the use of MAX_SENT_COUNT in the iterator code.
1543 - testcode/dohclient sets log identity to its name.
1546 - Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
1548 - In unit test, print python script name list correctly.
1551 - Tag for 1.17.0 release. The code repository continues with 1.17.1.
1554 - Fix PROXYv2 header read for TCP connections when no proxied addresses
1558 - Tag for 1.17.0rc1 release.
1561 - Fix to stop possible loops in the tcp reuse code (write_wait list
1564 - Fix unit test to properly test the reuse_write_wait_pop function.
1567 - Fix to stop responses with TC flag from resulting in partial
1570 - Fix proxy length debug output printout typecasts.
1573 - Fix dnscrypt compile for proxy protocol code changes.
1576 - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
1577 - Fix string comparison in mini_tdir.sh.
1578 - Make ede.tdir test more predictable by using static data.
1579 - Fix checkconf test for dnscrypt and proxy port.
1582 - Merge #764: Leniency for target discovery when under load (for
1586 - Fix static analysis report to remove dead code from the
1588 - Fix to clean up after the acl_interface unit test.
1591 - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
1595 - Fix to remove erroneous TC flag from TCP upstream.
1596 - Fix test tdir skip report printout.
1597 - Fix windows compile, the identifier interface is defined in headers.
1598 - Fix to close errno block in comm_point_tcp_handle_read outside of
1602 - Better output for skipped tdir tests.
1605 - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
1606 - This patch was released in 1.16.3, the code repository continues
1608 - Fix doxygen warning in respip.h.
1611 - Convert tdir tests to use the new skip_test functionality.
1612 - Remove unused testcode/mini_tpkg.sh file.
1615 - Merge #753: ACL per interface. (New interface-* configuration
1619 - Remove include that was there for debug purposes.
1620 - Fix to check pthread_t size after pthread has been detected.
1623 - Fix to update config tests to fix checking if nonblocking sockets
1625 - Slow down log frequency of write wait failures.
1626 - Fix to set out of file descriptor warning to operational verbosity.
1627 - Fix to log a verbose message at operational notice level if a
1632 - Fix to avoid process wide fcntl calls mixed with nonblocking
1634 - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
1637 - Fix to wait for blocked write on UDP sockets, with a timeout if it
1639 - Fix for wait for udp send to stop when packet is successfully sent.
1642 - Fix #741: systemd socket activation fails on IPv6.
1645 - Fix to log accept error ENFILE and EMFILE errno, but slowly, once
1649 - Fix #734 [FR] enable unbound-checkconf to detect more (basic)
1653 - Fix ratelimit inconsistency, for ip-ratelimits the value is the
1657 - Fix edns subnet so that scope 0 answers only match sourcemask 0
1659 - Fix unittest for edns subnet change.
1660 - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
1664 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
1665 - Tests for ghost domain fixes.
1666 - Tag for 1.16.2 release. The code repo continues with 1.16.3.
1667 - Fix #728: alloc_reg_obtain() core dump. Stop double
1671 - Update documentation for 'outbound-msg-retry:'.
1674 - Merge #718: Introduce infra-cache-max-rtt option to config max
1678 - Merge PR 714: Avoid treat normal hosts as unresponsive servers.
1680 - iana portlist update.
1683 - For windows crosscompile, fix setting the IPV6_MTU socket option
1685 cross-compiler versions.
1688 - Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
1691 - Fix verbose EDE error printout.
1694 - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
1696 - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
1700 - Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022.
1704 - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
1706 - Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
1707 - For #660: formatting, less verbose logging, add EDE information.
1708 - Fix for correct openssl error when adding windows CA certificates to
1710 - Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
1711 - Reintroduce documentation and more EDE support for
1715 - Merge PR #706: NXNS fallback.
1716 - From #706: Cached NXDOMAIN does not increase the target nx
1718 - From #706: Don't generate parent side queries if we already
1720 - From #706: When a lame address is the best choice, don't try to
1724 - iana portlist update.
1725 - Fix detection of libz on windows compile with static option.
1726 - Fix compile warning for windows compile.
1729 - Add debug option to the mini_tdir.sh test code.
1730 - Fix #704: [FR] Statistics counter for number of outgoing UDP queries
1731 sent; introduces 'num.query.udpout' to the 'unbound-control stats'
1733 - Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
1734 - Allow fallback to the parent side when MAX_TARGET_NX is reached.
1738 - Show the output of the exact .rpl run that failed with 'make test'.
1739 - Fix for cached 0 TTL records to not trigger prefetching when
1740 serve-expired-client-timeout is set.
1743 - Fix test program dohclient close to use portability routine.
1746 - Clarify -v flag manpage entry (#705)
1749 - Fix #663: use after free issue with edns options.
1752 - Fix for loading locally stored zones that have lines with blanks or
1756 - Remove unused LDNS function check for GOST Engine unloading.
1759 - Merge PR #688: Rpz url notify issue.
1760 - Note in the unbound.conf text that NOTIFY is allowed from the url:
1764 - Fix for edns client subnet to respect not looking in its cache when
1768 - makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
1771 - Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 (and possibly other distributions)
1772 - Version is set to 1.16.0 for release. Release tag 1.16.0rc1. This
1777 - Fix to silence test for ede error output to the console from the
1779 - Fix ede test to not use default pidfile, and use local interface.
1780 - Fix some lint type warnings.
1783 - Fix typos in config_set_option for the 'num-threads' and
1784 'ede-serve-expired' options.
1787 - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
1788 by updating unbound-control's documentation.
1791 - Fix #417: prefetch and ECS causing cache corruption when used
1795 - Merge #677: Allow using system certificates not only on Windows,
1797 - For #677: Added tls-system-cert to config parser and documentation.
1800 - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
1804 - Fix Python build in non-source directory; based on patch by
1808 - Merge PR #604: Add basic support for EDE (RFC8914).
1811 - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
1815 - Fix zonemd check to allow unsupported algorithms to load.
1819 - Fix zonemd unsupported algo check.
1820 - Fix zonemd unsupported algo check reason to not copy to next record,
1822 - Fix zonemd unsupported algo check to print unsupported reason before
1824 - Fix zonemd unsupported algo check to set reason to NULL before the
1829 - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
1832 - Fix #651: [FR] Better logging for refused queries.
1835 - Merge PR #648 from eaglegai: fix -q doesn't work when use with
1836 'unbound-control stats_shm'.
1839 - Fix to describe auth-zone and other configuration at the local-zone
1843 - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
1846 - Merge #644: Make `install-lib` make target install the pkg-config
1850 - Fix configure for python to use sysutils, because distutils is
1854 - Fix #637: Integer Overflow in sldns_str2period function.
1855 - Fix for #637: fix integer overflow checks in sldns_str2period.
1858 - Merge PR #632 from scottrw93: Match cnames in ipset.
1859 - Various fixes for #632: variable initialisation, convert the qinfo
1860 to str once, accept trailing dot in the local-zone ipset option.
1863 - Fix compile warnings for printf ll format on mingw compile.
1866 - Fix pythonmod for change in iter_dp_is_useless function prototype.
1869 - Fix #630: Unify the RPZ log messages.
1870 - Merge #623 from rex4539: Fix typos.
1873 - Fix #633: Document unix domain socket support for unbound-control.
1874 - Fix for #633: updated fix with new text.
1875 - Fix edns client subnet to add the option based on the option list,
1878 - Fix for edns client subnet option add fix in removal code, from review.
1881 - Fix to detect that no IPv6 support means that IPv6 addresses are
1883 - update Makefile dependencies.
1884 - Fix check interface existence for support detection in remote lookup.
1887 - Fix that address not available is squelched from the logs for
1889 - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
1893 - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
1896 - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
1899 - Fix #624: Unable to stop Unbound in Windows console (does not
1901 - Fix #618: enabling interface-automatic disables DNS-over-TLS.
1902 Adds the option to list interface-automatic-ports.
1903 - Remove debug info from #618 fix.
1906 - Fix that TCP interface does not use TLS when TLS is also configured.
1909 - Fix #412: cache invalidation issue with CNAME+A.
1912 - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
1913 - Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022.
1917 - Merge PR #532 from Shchelk: Fix: buffer overflow bug.
1918 - Merge PR #616: Update ratelimit logic. It also introduces
1919 ratelimit-backoff and ip-ratelimit-backoff configuration options.
1920 - Change aggressive-nsec default to yes.
1921 - Merge PR #617: Update stub/forward-host notation to accept port and
1922 tls-auth-name.
1923 - Update stream_ssl.tdir test to also use the new forward-host
1927 - Update version number in repo to 1.15.0 for upcoming release,
1928 since it changes the aggressive-nsec default and the ratelimit change.
1929 - Fix header comment for doxygen for authextstrtoaddr.
1930 - please clang analyzer for loop in test code.
1931 - Fix docker splint test to use more portable uname.
1932 - Update contrib/aaaa-filter-iterator.patch with diff for current
1936 - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
1940 - Fix review comment for use-after-free when failing to send UDP out.
1943 - iana portlist update.
1946 - Fix tls-* and ssl-* documented alternate syntax to also be available
1947 through remote-control and unbound-checkconf.
1948 - Better cleanup on failed DoT/DoH listening socket creation.
1951 - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
1955 - Test for NSID in SERVFAIL response due to DNSSEC bogus.
1958 - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
1960 - Merge PR #612: TCP race condition.
1963 - Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
1966 - For dnstap, do not wakeupnow right there. Instead zero the timer to
1970 - Merge PR #605:
1971 - Fix EDNS to upstream where the same option could be attached
1973 - Add a region to serviced_query for allocations.
1976 - Add rpz: for-downstream: yesno option, where the RPZ zone is
1979 - For #602: Allow the module-config "subnetcache validator cachedb
1983 - Fix prematurely terminated TCP queries when a reply has the same ID.
1986 - Merge #600 from pemensik: Change file mode before changing file
1990 - Fix for #596: fix that rpz return message is returned and not just
1993 - Fix unit tests for rpz now that the AA flag returns successfully from
1995 - Fix for #596: add unit test for nsdname trigger and signal unset RA.
1996 - Fix for #596: add unit test for nsip trigger and signal unset RA.
1997 - Fix #598: Fix unbound-checkconf fatal error: module conf
1999 - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
2003 - Fix #596: unset the RA bit when a query is blocked by an unbound
2004 RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
2007 - Fix to add test for rpz-signal-nxdomain-ra.
2008 - Fix #596: only unset RA when NXDOMAIN is signalled.
2009 - Fix that RPZ does not set RD flag on replies, it should be copied
2013 - contrib/aaaa-filter-iterator.patch file renewed diff content to
2017 - Fix #591: Unbound-anchor manpage links to non-existent license file.
2020 - Add missing configure flags for optional features in the
2022 - Fix Unbound capitalization in the documentation.
2025 - Fix to pick up other class local zone information before unlock.
2028 - Allow local-data for classes other than IN to inherit a configured
2029 local-zone's type if possible, instead of defaulting to type
2033 - Add code similar to fix for ldns for tab between strings, for
2037 - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
2039 - Fix validator debug output about DS support, print correct algorithm.
2042 - Fix compile warning for if_nametoindex on windows 64bit.
2045 - configure is set to 1.14.0, and release branch.
2048 - Fix doc/unbound.doxygen to remove obsolete tag warning.
2051 - Merge PR #511 from yan12125: Reduce unnecessary linking.
2052 - Merge PR #493 from Jaap: Fix generation of libunbound.pc.
2053 - Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
2054 link-local addresses.
2055 - Merge PR #562 from Willem: Reset keepalive per new tcp session.
2056 - Merge PR #522 from sibeream: memory management violations fixed.
2057 - Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
2058 - Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
2059 - Fix #574: Review fixes for size allocation.
2062 - Fix to remove git tracking and ci information from release tarballs.
2063 - iana portlist update.
2066 - Merge PR #570 from rex4539: Fix typos.
2067 - Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
2068 - Fix to make python module opt_list use opt_list_in.
2069 - Fix #574: unbound-checkconf reports fatal error if interface names
2071 - Fix #574: Review fixes for it.
2072 - Fix #576: [FR] UB_* error codes in unbound.h
2073 - Fix #574: Review fix for spelling.
2076 - Improve EDNS option handling, now also works for synthesised
2077 responses such as local-data and server.id CH TXT responses.
2080 - Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
2082 - Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
2085 - Fix that forward-zone name is documented as the full name of the
2087 - Fix analyzer review failure in rpz action override code to not
2089 - Fix to remove unused code from rpz resolve client and action
2091 - Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
2094 - Fix #552: Unbound assumes index.html exists on RPZ host.
2097 - Fix chaos replies to have truncation for short message lengths,
2099 - Fix to protect custom regional create against small values.
2102 - Fix to add example.conf note for outbound-msg-retry.
2105 - Implement RFC8375: Special-Use Domain 'home.arpa.'.
2108 - For crosscompile on windows, detect 64bit stackprotector library.
2109 - Fix crosscompile shell syntax.
2110 - Fix crosscompile windows to use libssp when it exists.
2111 - For the windows compile script disable gost.
2112 - Fix that on windows, use BIO_set_callback_ex instead of deprecated
2114 - Fix crosscompile script for the shared build flags.
2117 - Fix crosscompile on windows to work with openssl 3.0.0 the
2118 link with ws2_32 needs -l:libssp.a for __strcpy_chk.
2122 - Fix initialisation errors reported by gcc sanitizer.
2123 - Fix lock debug code for gcc sanitizer reports.
2124 - Fix more initialisation errors reported by gcc sanitizer.
2127 - Merged #41 from Moritz Schneider: made outbound-msg-retry
2129 - Small fixes for #41: changelog, conflicts resolved,
2133 - Fix for #41: change outbound retry to int to fix signed comparison
2135 - Fix root_anchor test to check with new icannbundle date.
2138 - Fix #538: Fix subnetcache statistics.
2141 - Fix tcp fastopen failure when disabled, try normal connect instead.
2144 - Fix #533: Negative responses get cached even when setting
2145 cache-max-negative-ttl: 1
2148 - Merge #401: RPZ triggers. This add additional RPZ triggers,
2151 are fully supported, and this now includes the tcp-only action.
2152 - Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
2154 - Fix the stream wait stream_wait_count_lock and http2 buffer locks
2156 - Fix RPZ locks. Do not unlock zones lock if requested and rpz find
2161 - Fix compile warning in libunbound for listen desetup routine.
2162 - Fix asynclook unit test for setup of lockchecks before log.
2165 - Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
2167 - Fix #531: Fix: passed to proc after free.
2170 - Fix that --with-ssl can use "/usr/include/openssl11" to pass the
2172 - Fix #527: not sending quad9 cert to syslog (and may be more).
2173 - Fix sed script in ssldir split handling.
2176 - Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
2180 - Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
2183 - Support using system-wide crypto policies.
2184 - Fix for #431: Squelch permission denied errors for udp connect,
2186 - Fix zonemd verification of key that is not in DNS but in the zone
2188 - zonemd, fix order of bogus printout string manipulation.
2191 - Merge PR #514, from ziollek: Docker environment for run tests.
2192 - For #514: generate configure.
2195 - And 1.13.2rc1 became the 1.13.2 with the fix for the python module
2197 - Add test tool readzone to .gitignore.
2198 - Merge #521: Update mini_event.c.
2199 - Merge #523: fix: free() call more than once with the same pointer.
2200 - Merge #519: Support for selective enabling tcp-upstream for
2202 - For #519: note stub-tcp-upstream and forward-tcp-upstream in
2204 - For #519: yacc and lex. And fix python bindings, and test program
2205 unbound-dnstap-socket.
2206 - For #519: fix comments for doxygen.
2207 - Fix to print error from unbound-anchor for writing to the key
2211 - Tag for 1.13.2rc1 release.
2212 - Fix #520: Unbound 1.13.2rc1 fails to build python module.
2215 - Merge PR #415 from sibeream: Use
2217 ports. (New --enable-linux-ip-local-port-range configuration option)
2218 - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
2222 - In unit test use openssl set security level to allow keys in test.
2223 - Fix static analysis warnings about localzone locks that are unused.
2224 - Fix missing locks in zonemd unit test.
2225 - Fix readzone compile under debug config.
2226 - Fix out of sourcedir run of zonemd unit tests.
2227 - Fix libnettle zonemd unit test.
2228 - Fix unit test zonemd_reload for use in run_vm.
2231 - Listen to read or write events after the SSL handshake.
2235 - Merge PR #517 from dyunwei: #420 breaks the mesh reply list
2237 - Annotate assertion into error printout; we think it may be an
2239 - Fix sign comparison warning on FreeBSD.
2242 - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
2244 - Move RSA and DSA to use OpenSSL 3.0.0 API.
2245 - Move ECDSA functions to use OpenSSL 3.0.0 API.
2246 - iana portlist update.
2247 - Fix verbose printout failure in tcp reuse unit test.
2250 - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
2252 - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
2254 - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
2257 - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
2262 - Merge #512: unbound.service.in: upgrade hardening to latest
2264 - Fix readzone unknown type print for memory resize.
2267 - Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
2271 - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
2274 - Merge #510 from ndptech: Don't call a function which hasn't been
2276 - Fix for #510: in depth, use ifdefs for windows api event calls.
2277 - Fix spelling in doc/unbound.doxygen comment.
2278 - Fix spelling in localzone.h comment.
2279 - Fix unbound-control local_data and local_datas to print detailed
2281 - review fix to remove duplicate error printout.
2282 - Insert header into testcode/readzone.c, it was missing.
2283 - Fix from lint for ignored return value.
2284 - Fix for older parsers for function call in serve expired get cached.
2287 - iana portlist update.
2290 - Fix compiler warnings for #491.
2291 - Fix clang-analysis warnings for testcode/readzone.c.
2294 - Fix Wunused-result compile warnings.
2297 - Merge PR #491: Add SVCB and HTTPS types and handling according to
2298 draft-ietf-dnsop-svcb-https.
2301 - Fix #506: Python Module Seems to Leak Memory if it Experiences an
2305 - Fix up permissions on rpl data file in tests.
2306 - Fix testbound newline treatment in moment_read and tempfile write.
2307 - Fix configure grep for reuseport default for failure.
2308 - Fix compat ctime_r return value
2309 - Fix configure does not require pkg-config if not needed.
2310 - Fix unit test in the ctime_r calls for autotrust and in testbound.
2311 - Fix auth zone download on windows to unlink before rename.
2314 - Add analyzer and port compile github workflow.
2317 - Fix #503: DNS over HTTPS response truncated.
2318 - Fix warnings reported by the gcc analyzer.
2321 - Fix #495: Documentation or implementation of "verbosity" option.
2324 - Fix a number of warnings reported by the gcc analyzer.
2327 - Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
2330 - Fix configure nonblocking test and onmingw test to use host.
2333 - Fix #500: SPEC file in version 1.13.1 references version 1.4;
2335 - Fix contrib/unbound.spec, fixed url and comment.
2338 - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
2339 - Generated lexer and parser for #486; updated example.conf.
2340 - Fix #413 (based on patch by k-ronny): unbound: does not compile
2341 on macOS 11.1-x86_64 host.
2342 - Use host_os instead of target_os in configure for Darwin8 build.
2345 - Fix unused variable warning when compiling with --enable-dnstap.
2348 - Merge #448 from shoeper: Update unbound-control.8.in, fix
2350 - Fix #425: Document auth-zone supports communication with DNS
2354 - Fix test for zonemd-check option.
2357 - Merge #496 from banburybill: Use build system endianness if
2359 - zonemd-check: yesno option, default no, enables the processing
2363 - Move the NSEC3 max iterations count in line with the 150 value
2366 - Fix #492: module-config respip missing in unbound.conf.5.in man
2368 - For #492: Fix font highlighting for the man page on emacs.
2371 - Test code has -q option for quiet output.
2374 - Fix for #411, #439, #469: Reset the DNS message ID when moving queries
2376 - Refactor for uniform way to produce random DNS message IDs.
2379 - Fix #489: Compile using MSYS2 MinGW 64-bit.
2382 - Fix that auth-zone zonefiles use last TTL if no TTL is specified.
2385 - Merge PR #487: ifdef RLIMIT_AS in recently added check.
2388 - Fix #485: Unbound occasionally reports broken stats.
2389 - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
2390 - Remove case fallthrough from deprecate-rsa-1024 code.
2393 - Fix for #367: only attempt to get the interface for queries that are no
2395 - Add more logging for out-of-memory cases.
2398 - Merge #478: Allow configuration of TCP timeout while waiting for
2400 - Fix to squelch tcp socket bind failures when the interface is gone.
2401 - Rerun flex and bison.
2404 - Fix #481: Fix comment in configuration file.
2407 - Add that log-servfail prints an IP address and more information
2411 - Fix compiler warning for signed/unsigned comparison for
2415 - Fix #474: always_null and others inside view.
2418 - Merge #470 from edevil: Allow configuration of persistent TCP
2422 - Merge #466 from FGasper: Support OpenSSLs that lack
2424 - Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
2425 - Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
2427 - Fix that testcode dohclient has OpenSSL initialisation calls.
2430 - Fix documentation comment for files previously residing in checkconf/.
2431 - Remove unused functions worker_handle_reply and libworker_handle_reply.
2434 - Fix that nxdomain synthesis does not happen above the stub or
2438 - Fix (increase) verbosity level for iterator error log in
2442 - Fix permission denied sendto log, squelch the log messages
2446 - rebuild configure to set EXTRALINK to libunbound.la for #460.
2449 - Fix for #411: Depth protect for crash on deleted element timeout.
2452 - Merge #460 from orbea: build: Link with the libtool archive.
2453 - Fix to stop IPv6 PMTU discovery.
2456 - Clean makedist.sh.
2459 - Fix stack-protector change to not override other CFLAGS options.
2462 - Disable the use of stack-protector for cross compiled 32-bit windows
2466 - Fix #429: Also fix end of transfer for http download of auth zones.
2469 - Fix deprecation test to work for iOS TVOS and WatchOS, it uses
2471 - Travis, fix script to fail when tasks fail.
2472 - Travis, fix warning in ubsan compile.
2473 - Fix configure Targetconfiditionals.h header check, to use compile.
2474 - Fix that cachedb does not produce empty object files when disabled.
2477 - Travis enable all tests again. Clang analyzer only a couple times,
2480 tests to allow-failure.
2481 - travis, analyzer disabled on test without debug, that does not
2486 - Fix unused-function warning when compiling with --enable-dnscrypt.
2487 - Fix for #367: fix memory leak when cannot bind to listening port.
2488 - Reformat pythonmod/pythonmod_utils.{c,h}.
2491 - Merge #449 from orbea: build: Add missing linker flags.
2492 - iana portlist update.
2493 - Comment out nonworking OSX and IOS travis tests, vm fails to start.
2494 - Fix compile error in listen_dnsport on Android.
2495 - Fix memory leak reported by asan in rpz SOA record query name.
2498 - Fix for #447: squelch connection refused tcp connection failures
2502 - Fix #441: Minimal NSEC range not accepted for top level domains.
2505 - Fix parse of LOC RR type for decimetres.
2508 - Workaround for #439: prevent loops in the reuse rbtree.
2509 - Debug output for #411 and #439: printout internal error and details.
2512 - iana portlist update.
2513 - Fix spurious errors about "Could not generate request: out of
2518 - Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
2521 - Fix: Resolve interface names on control-interface too.
2524 - Merge PR #367 : DNSTAP log local address. With code from PR #365
2527 - Fix to allow rpz with wildcard that applies to all TLDs at once.
2530 - Fix #384: (1) A minor request to improve the log (2) A minor bug in one
2532 - ipsecmod: Better logging for detecting a cycle when attaching the
2536 - On startup of unbound it checks if rlimits on memory size look
2538 - Fix function documentation.
2539 - Fix unit test for added ulimit checks.
2540 - spelling fix in header.
2543 - Fix for zonemd, that domain-insecure zones work without dnssec.
2544 - Fix for zonemd, do not reject insecure result from trust anchor
2548 - Fix #431: Squelch permission denied errors for tcp connect
2550 - Fix for zonemd, that nxdomain for the chain of trust is allowed
2554 - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
2555 ZONEMD records are checked for zones loaded as auth-zone,
2557 zonemd-permissive-mode that makes it log but not fail wrong zones.
2558 With zonemd-reject-absence for an auth-zone the presence of a
2560 - Fix doxygen and pydoc warnings.
2561 - Fix #429: rpz: url: with https: broken (regression in 1.13.1).
2562 - rpz skip nsec3param records, and nicer log for unsupported actions.
2565 - Fix #422: IPv6 fallback issues when IPv6 is not properly
2567 - Fix to make tests work with support indicators set for iterator.
2568 - Fix build on Python 3.10.
2571 - Merge PR #420 from dyunwei: DOH not responsing with
2575 - Fix for Python 3.9, no longer use deprecated functions of
2580 - release 1.13.1rc2 tag on branch-1.13.1 with added changes of 2 feb.
2585 - branch-1.13.1 is created, with release-1.13.1rc1 tag.
2586 - Fix dynlibmod link on rhel8 for -ldl inclusion.
2587 - Fix windows dependency on libssp.dll because of default stack
2589 - Fix indentation of root anchor for use by windows install script.
2592 - Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
2595 - Fix for doxygen 1.8.20 compatibility.
2598 - Annotate that we ignore the return value of if_indextoname.
2599 - Fix to use correct type for label count in rpz routine.
2600 - Fix empty clause warning in config_file nsid parse.
2601 - Fix to use correct type for label count in ipdnametoaddr rpz routine.
2602 - Fix empty clause warning in edns pass for padding.
2603 - Fix fwd ancil test post script when not supported.
2606 - Merge PR #408 from fobser: Prevent a few more yacc clashes.
2607 - Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
2608 original instead of a decrementing TTL ('serve-original-ttl')
2609 - Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
2611 - Ignore cache blacklisting when trying to reply with expired data from
2615 - Fix compile of unbound-dnstap-socket without dnstap installed.
2618 - Padding of queries and responses with DNS over TLS as specified in
2622 - Fix TTL of SOA record for negative answers (localzone and
2626 - Support for RFC5001: DNS Name Server Identifier (NSID) Option
2630 - Fix #404: DNS query with small edns bufsize fail.
2631 - Fix declaration before statement and signed comparison warning in
2635 - Merge #402 from fobser: Implement IPv4-Embedded addresses according
2639 - Fix for #93: dynlibmodule import library is named libunbound.dll.a.
2642 - Merge #399 from xiangbao227: The lock of lruhash table should
2644 - Fix for #93: dynlibmodule link fix for Windows.
2647 - Fix #397: [Feature request] add new type always_null to local-zone
2649 - Fix so local zone types always_nodata and always_deny can be used
2653 - Merge PR #391 from fhriley: Add start_time to reply callbacks so
2655 - For #391: use struct timeval* start_time for callback information.
2656 - For #391: fix indentation.
2657 - For #391: more double casts in python start time calculation.
2658 - Add comment documentation.
2659 - Fix clang analysis warning.
2662 - Fix #379: zone loading over HTTP appears to have buffer issues.
2663 - Merge PR #395 from mptre: add missing null check.
2664 - Fix #387: client-subnet-always-forward seems to effectively bypass
2668 - Fix #385: autoconf 2.70 impacts unbound build
2669 - Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
2670 to unbound-control.
2673 - For #376: Fix that comm point event is not double removed or double
2675 - iana portlist updated.
2678 - Fix error cases when udp-connect is set and send() returns an error
2682 - Fix #371: unbound-control timeout when Unbound is not running.
2683 - Fix to squelch permission denied and other errors from remote host,
2685 - Merge PR #335 from fobser: Sprinkle in some static to prevent
2687 - Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
2689 - Fix missing prototypes in the code.
2692 - make depend.
2693 - iana portlist updated.
2696 - Fix #360: for the additionally reported TCP Fast Open makes TCP
2699 - Fix #356: deadlock when listening tcp.
2700 - Fix unbound-dnstap-socket to not use log routine from interrupt
2702 - Fix on windows to ignore connection failure on UDP, unless verbose.
2703 - Fix for #283: fix stream reuse and tcp fast open.
2704 - Fix update, with write event check with streamreuse and fastopen.
2707 - Fix #358: Squelch udp connect 'no route to host' errors on low
2711 - Fix assertion failure on double callback when iterator loses
2714 - tag for the 1.13.0rc4 release. This also became the 1.13.0
2720 - Fix compile warning for type cast in http2_submit_dns_response.
2721 - Fix when use free buffer to initialize rbtree for stream reuse.
2722 - Fix compile warnings for windows.
2723 - Fix compile warnings in rpz initialization.
2724 - Fix contrib/metrics.awk for FreeBSD awk compatibility.
2725 - tag for the 1.13.0rc3 release.
2728 - Fix to omit UDP receive errors from log, if verbosity low.
2729 These happen because of udp-connect.
2730 - For #352: contrib/metrics.awk for Prometheus style metrics output.
2731 - Fix that after failed read, the readagain cannot activate.
2732 - Clear readagain upon decommission of pending tcp structure.
2735 - with udp-connect ignore connection refused with UDP timeouts.
2736 - Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
2737 - Better fix for reuse tree comparison for is-tls sockets. Where
2739 - Remove debug commands from reuse tests.
2740 - Fix memory leak for edns client tag opcode config element.
2741 - Attempt fix for libevent state in tcp reuse cases after a packet
2743 - Fix readagain and writeagain callback functions for comm point
2745 - tag for the 1.13.0rc2 release.
2748 - Merge PR #283 : Stream reuse. This implements upstream stream
2751 - set version of main branch to 1.13.0 for upcoming release.
2752 - iana portlist updated.
2753 - Fix one port unit test for udp-connect.
2754 - tag for the 1.13.0rc1 release.
2755 - Fix crash when TLS connection is closed prematurely, when
2757 - Fix padding of struct regional for 32bit systems.
2760 - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
2761 edns-client-string option.
2764 - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
2766 - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
2769 - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
2770 - Option to toggle udp-connect, default is enabled.
2771 - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
2773 - Further fix for it and retvalue 0 fix for it.
2776 - Fix to connect() to UDP destinations, default turned on,
2778 - Retry for interfaces with unused ports if possible.
2781 - Fix #341: fixing a possible memory leak.
2782 - Fix memory leak after fix for possible memory leak failure.
2783 - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
2787 - In man page note that tls-cert-bundle is read before permission
2791 - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
2793 - Fix that minimal-responses does not remove addresses from a priming
2797 - Fix #327: net/if.h check fails on some darwin versions; contribution by
2799 - Fix #320: potential memory corruption due to size miscomputation upton
2803 - Merge PR #228 : infra-keep-probing option to probe hosts that are
2804 down. Add infra-keep-probing: yes option. Hosts that are down are
2813 - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
2814 unbound-control TLS certificates.
2815 - Fix for PR #324 to attach the x509v3 extensions to the client
2819 - local-zone regional allocations outside of chunk
2822 - Fix that http settings have colon in set_option, for
2823 http-endpoint, http-max-streams, http-query-buffer-size,
2824 http-response-buffer-size, and http-nodelay.
2825 - Fix memory leak of https port string when reading config.
2826 - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
2827 This adds the option http-notls-downstream: yesno to change that,
2828 and the dohclient test code has the -n option.
2829 - Fix python documentation warning on functions.rst inplace_cb_reply.
2830 - Fix dnstap test to wait for log timer to see if queries are logged.
2831 - Log ip address when http session recv fails, eg. due to tls fail.
2832 - Fix to set the tcp handler event toggle flag back to default when
2834 - Clean the fix for out of order TCP processing limits on number
2838 - Fix that the out of order TCP processing does not limit the
2842 - Fix that if there are reply callbacks for the given rcode, those
2845 - Pass the comm_reply information to the inplace_cb_reply* functions
2849 - Merge PR #326 from netblue30: DoH: implement content-length
2851 - DoH content length, simplify code, remove declaration after
2855 - Fix for python reply callback to see mesh state reply_list member,
2858 - Fix that if there are on reply callbacks, those are called per
2860 - Free up auth zone parse region after use for lookup of host
2863 - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
2867 - Fix dnstap socket and the chroot not applied properly to the dnstap
2869 - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
2872 - Tag for 1.12.0 release.
2873 - Current repo is version 1.12.1 in development.
2874 - Fix #319: potential memory leak on config failure, in rpz config.
2877 - Current repo is version 1.12.0 for release. Tag for 1.12.0rc1.
2880 - Fix doh tests when not compiled in.
2881 - Add dohclient test executable to gitignore.
2882 - Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
2884 - Easier kill of unbound-dnstap-socket tool in test.
2885 - Fix memory leak of edns tags at libunbound context delete.
2886 - Fix double loopexit for unbound-dnstap-socket after sigterm.
2889 - DNS Flag Day 2020: change edns-buffer-size default to 1232.
2892 - Fix unit test for dnstap changes, so that it waits for the timer.
2895 - Fix #305: dnstap logging significantly affects unbound performance
2897 - Fix #305: only wake up thread when threshold reached.
2898 - Fix to ifdef fptr wlist item for dnstap.
2901 - Fix edns-client-tags get_option typo
2902 - Add edns-client-tag-opcode option
2903 - Use inclusive language in configuration
2906 - Fix #304: dnstap logging not recovering after dnstap process restarts
2909 - Merge PR #311 by luismerino: Dynlibmod leak.
2910 - Error message is logged for dynlibmod malloc failures.
2911 - iana portlist updated.
2914 - Fix that prefer-ip4 and prefer-ip6 can be get and set with
2915 unbound-control, with libunbound and the unbound-checkconf option
2917 - iana portlist updated.
2920 - Introduce test for statistics.
2923 - Spelling fix.
2926 - Remove x file mode on ipset/ipset.c and h files.
2929 - Fix num.expired statistics output.
2932 - Merge PR #293: Add missing prototype. Also refactor to use the new
2934 - Refactor to use sock_strerr shorthand function.
2935 - Fix #296: systemd nss-lookup.target is reached before unbound can
2939 - Similar to NSD PR#113, implement that interface names can be used,
2942 - Review fix, doxygen and assign null in case of error free.
2945 - Update documentation in python example code.
2948 - Fix that dnstap reconnects do not spam the log with the repeated
2951 - Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
2952 - Change configure to use EVP_sha256 instead of HMAC_Update for
2953 openssl-3.0.0.
2956 - Fix stats double count issue (#289).
2959 - Create and init edns tags data for libunbound.
2962 - Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
2966 - Fix #287: doc typo: "Additionaly".
2967 - Rerun autoconf
2970 - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
2976 - contrib/aaaa-filter-iterator.patch file renewed diff content to
2980 - Merge PR #272: Add EDNS client tag functionality.
2983 - Improve error log message when inserting rpz RR.
2984 - Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
2988 - Fix mini_event.h on OpenBSD cannot find fd_set.
2991 - Fix doxygen comment for no ssl for tls session ticket key callback
2995 - Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
2999 - Merge PR #269, Fix python module len() implementations, by Torbjörn
3003 - branch now named 1.11.1. 1.11.0rc1 became the 1.11.0 release.
3004 - Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
3007 - Fix streamtcp to print packet data to stdout. This makes the
3009 - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
3012 - branch now named 1.11.0 and 1.11.0rc1 tag.
3015 - Fix libnettle compile for session ticket key callback function
3017 - Fix lock dependency cycle in rpz zone config setup.
3020 - Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
3021 Courrèges-Anglas.
3022 - Fix PR #234 log_assert sizeof to use union buffer.
3025 - Fix check conf test for referencing installation paths.
3026 - Fix unused variable warning for clang analyzer.
3029 - Introduce 'include-toplevel:' configuration option.
3032 - Add bidirectional frame streams support.
3035 - Fix add missing DSA header, for compilation without deprecated
3037 - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
3038 3.0.0-alpha4.
3039 - Longer keys for the test set, this avoids weak crypto errors.
3042 - Fix #259: Fix unbound-checkconf does not check view existence.
3043 unbound-checkconf checks access-control-view, access-control-tags,
3044 access-control-tag-actions and access-control-tag-datas.
3045 - Fix offset of error printout for access-control-tag-datas.
3046 - Review fixes for checkconf #259 change.
3049 - run_vm cleanup better and removes trailing slash on single argument.
3052 - Move reply list clean for serve expired mesh callback to after
3054 - Also move reply list clean for mesh callbacks to the scrip callback
3056 - Fix for mesh accounting if the reply list already empty to begin
3058 - Fix for mesh accounting when rpz decides to drop a reply with a
3060 - Review fix for number of detached states due to use of variable
3062 - Fix tcp req info drop due to size call into mesh accounting
3066 - iana portlist updated.
3067 - doxygen file comments for dynlibmodule.
3070 - Fix default explanation in man page for qname-minimisation-strict.
3071 - Fix display of event loop method with libev.
3074 - Mention tls name possible when tls is enabled for stub-addr in the
3078 - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
3082 - Update contrib/aaaa-filter-iterator.patch for the recent
3086 - Fix for integer overflow when printing RDF_TYPE_TIME.
3089 - CVE-2020-12662 Unbound can be tricked into amplifying an incoming
3091 - CVE-2020-12663 Malformed answers from upstream name servers can be
3093 - Release 1.10.1 is 1.10.0 with fixes, code repository continues,
3096 - For PR #93: windows compile warnings removal
3097 - windows compile warnings removal for ip dscp option code.
3098 - For PR #93: unit test for dynlib module.
3101 - For PR #93: dynlibmod can handle reloads and deinit and inits again,
3104 to allow one dynlibmod instance by unbound-checkconf.
3105 - For PR #93: checkconf allows multiple dynlib in module-config, for
3107 - For PR #93: checkconf allows python dynlib in module-config, for
3109 - For PR #93: man page spelling reference fix.
3110 - For PR #93: fix link of other executables for dynlibmod dependency.
3113 - Merge PR #93: Add dynamic library support.
3114 - Fixed conflicts for PR #93 and make configure, yacc, lex.
3115 - For PR #93: Fix warnings for dynlibmodule.
3118 - Cache ECS answers with longest scope of CNAME chain.
3121 - Explicitly use 'rrset-roundrobin: no' for test cases.
3124 - Merge #225 from akhait: KSK-2010 has been revoked. It removes the
3125 KSK-2010 from the default list in unbound-anchor, now that the
3126 revocation period is over. KSK-2017 is the only trust anchor in
3130 - Change default value for 'rrset-roundrobin' to yes.
3131 - Fix tests for new rrset-roundrobin default.
3134 - Fix #222: --enable-rpath, fails to rpath python lib.
3135 - Fix for count of reply states in the mesh.
3136 - Remove unneeded was_mesh_reply check.
3139 - Add SNI support on more TLS connections (fixes #193).
3140 - Add SNI support to unbound-anchor.
3143 - Add doxygen documentation for DSCP.
3146 - Fix help return code in unbound-control-setup script.
3147 - Fix for posix shell syntax for trap in nsd-control-setup.
3148 - Fix for posix shell syntax for trap in run_msg.sh test script.
3151 - Fix #220: auth-zone section in config may lead to segfault.
3154 - Merge PR #214 from gearnode: unbound-control-setup recreate
3155 certificates. With the -r option the certificates are created
3159 - Keep track of number of timeouts. Use this counter to determine if
3163 - More documentation for redis-expire-records option.
3166 - Merge PR #206: Redis TTL, by Talkabout.
3169 - Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
3170 - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
3174 - Merge PR #203 from noloader: Update README-Travis.md with current
3178 - Make unbound-control error returned on missing domain name more user
3182 - Fix RPZ concurrency issue when using auth_zone_reload.
3185 - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
3186 - Fix on #201.
3189 - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
3191 - Fixes on #200.
3192 - Travis fix for ios by omitting tools from install.
3195 - Fix compile on Solaris for unbound-checkconf.
3198 - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
3202 - Merge PR #197 from fobser: Make log_ident_revert_to_default() a
3206 - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
3207 - Fix #158: open tls-session-ticket-keys as binary, for Windows. By
3209 - Merge PR#134, Allow the kernel to provide random source ports. By
3211 - Log warning when using outgoing-port-permit and outgoing-port-avoid
3213 - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
3214 - Fix .travis.yml error, missing 'env' option.
3217 - Fix #192: In the unbound-checkconf tool, the module config of
3222 - Fix compile of test tools without protobuf.
3225 - Add check to make sure RPZ records are subdomains of configured
3229 - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
3231 - Changelog entry for (Fix #189, Merge PR #190).
3234 - Fix #188: unbound-control.c:882:6: error: 'execlp' is
3238 - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
3242 - Fix PR #182 from noloader: Add iOS testing to Travis.
3245 - Update README-Travis.md (from PR #179), by Jeffrey Walton.
3248 - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
3251 - Merge PR #180 from noloader: Avoid calling exit in Travis script.
3254 - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
3257 - Fix #175, Merge PR #176: fix link error when OpenSSL is configured
3258 with no-engine, thanks noloader.
3261 - Fix compiler warning in dns64/dns64.c
3262 - Merge PR #174: Add Android to Travis testing, by noloader.
3263 - Move android build scripts to contrib/ and allow android tests to fail.
3266 - Fix #177: dnstap does not build on macOS.
3269 - Merge PR #172: Add IBM s390x arch for testing, by noloader.
3272 - Merge PR #173: updated makedist.sh for config.guess and
3274 - Merge PR #164: Framestreams, this branch implements dnstap
3282 The make unbound-dnstap-socket builds a debug tool,
3283 unbound-dnstap-socket. It can listen, accept multiple DNSTAP
3291 in the man page and example config file. dnstap-ip with IP
3292 address of server for TCP or TLS use. dnstap-tls to turn
3293 on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
3294 dnstap-tls-client-key-file and dnstap-tls-client-cert-file
3299 - Merge PR #171: Add additional compilers and platforms to Travis
3303 - Fix #169: Fix warning for daemon/remote.c output may be truncated
3305 - Fix #170: Fix gcc undefined sanitizer signed integer overflow
3307 - Fix more undefined sanitizer issues, in respip copy_rrset null
3311 - iana portlist updated.
3314 - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
3319 - Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
3322 - Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
3324 - master branch has 1.10.1 version.
3327 - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
3331 - changelog point where the tag for 1.10.0rc2 release is. And with
3335 - Add respip to supported module-config options in unbound-checkconf.
3338 - Remove unused variable.
3341 - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
3342 in RPZ-Format, contributed by Andreas Schulze.
3345 - Fix spelling in unbound.conf.5.in.
3346 - Stop unbound-checkconf from insisting that auth-zone and rpz
3350 - tag for 1.10.0rc1 release.
3353 - Fix with libnettle make test with dsa disabled.
3354 - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
3356 - Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
3357 - Fix compile warning when threads disabled.
3358 - updated version number to 1.10.0.
3361 - Document 'ub_result.was_ratelimited' in libunbound.
3362 - Fix use after free on log-identity after a reload; Fixes #163.
3365 - Fix num_reply_states and num_detached_states counting with
3367 - Cleaner code in mesh_serve_expired_lookup.
3368 - Document in unbound.conf manpage that configuration clauses can be
3372 - Fix num_reply_addr counting in mesh and tcp drop due to size
3374 - Fix to create and destroy rpz_lock in auth_zones structure.
3375 - Fix to lock zone before adding rpz qname trigger.
3376 - Fix to lock and release once in mesh_serve_expired_lookup.
3377 - Fix to put braces around empty if body when threading is disabled.
3380 - Added serve-stale functionality as described in
3381 draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
3383 - Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
3384 - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
3385 come with a configurable TTL value (`serve-expired-reply-ttl`).
3386 - Fixed stats when replying with cached, cname-aliased records.
3387 - Added missing default values for redis cachedb backend.
3390 - Add assertion to please static analyzer
3393 - Fix fclose on error in TLS session ticket code.
3396 - Fix memory leak in error condition remote.c
3397 - Fix double free in error condition view.c
3398 - Fix memory leak in do_auth_zone_transfer on success
3399 - Merge RPZ support into master. Only QNAME and Response IP triggers are
3401 - Stop working on socket when socket() call returns an error.
3402 - Check malloc return values in TLS session ticket code
3405 - Fix subnet tests for disabled DSA algorithm by default.
3406 - Update contrib/fastrpz.patch for clean diff with current code.
3407 - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
3410 - updated .gitignore for added contrib file.
3411 - Add build rule for ipset to Makefile
3412 - Add getentropy_freebsd.o to Makefile dependencies.
3415 - Merge PR#156 from Alexander Berkes; Added unbound-control
3419 - Fix #157: undefined reference to `htobe64'.
3422 - Merge PR#147; change rfc reference for reserved top level dns names.
3425 - iana portlist updated.
3426 - Fix to silence the tls handshake errors for broken pipe and reset
3430 - Merge PR#154; Allow use of libbsd functions with configure option
3431 --with-libbsd. By Robert Edmonds and Steven Chamberlain.
3432 - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
3435 - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
3437 - Fix #153: Disable validation for DSA algorithms. RFC 8624
3441 - Merge PR#150 from Frzk: Systemd unit without chroot. It add
3447 - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
3448 because dnscrypt-proxy (2.0.36) does not support the test setup
3451 - Fix crash after reload where a stats lookup could reference old key
3453 - Fix for memory leak when edns subnet config options are read when
3455 - Fix auth zone support for NSEC3 records without salt.
3458 - Fix the relationship between serve-expired and prefetch options,
3460 - Fix unreachable code in ssl set options code.
3463 - Fix #138: stop binding pidfile inside chroot dir in systemd service
3467 - Fix 'make test' to work for --disable-sha1 configure option.
3468 - Fix out-of-bounds null-byte write in sldns_bget_token_par while
3469 parsing type WKS, reported by Luis Merino from X41 D-Sec.
3470 - Updated sldns_bget_token_par fix for also space for the zero
3474 - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
3477 - Changes to compat/getentropy_solaris.c for,
3482 - Merge #135 from Florian Obser: Use passed in neg and key cache
3483 if non-NULL.
3484 - Fix #140: Document slave not downloading new zonefile upon update.
3487 - Update mailing list URL.
3490 - Master is 1.9.7 in development.
3491 - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
3495 - Fix to make auth zone IXFR to fallback to AXFR if a single
3499 - Fix ipsecmod compile.
3500 - Fix Makefile.in for ipset module compile, from Adi Prasaja.
3501 - release-1.9.6 tag, which became the 1.9.6 release
3504 - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
3505 replacements for unbound-fuzzme.c that gets created after applying
3506 the contrib/unbound-fuzzme.patch. They are contributed by
3507 Eric Sesterhenn from X41 D-Sec.
3508 - tag for 1.9.6rc1.
3511 - Fix lock type for memory purify log lock deletion.
3512 - Fix testbound for alloccheck runs, memory purify and lock checks.
3513 - update contrib/fastrpz.patch to apply more cleanly.
3514 - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
3515 reported by X41 D-Sec.
3518 - Merge pull request #124 from rmetrich: Changed log lock
3520 - Fix text around serial arithmatic used for RRSIG times to refer
3522 - Fix Assert Causing DoS in synth_cname(),
3523 reported by X41 D-Sec.
3524 - Fix similar code in auth_zone synth cname to add the extra checks.
3525 - Fix Assert Causing DoS in dname_pkt_copy(),
3526 reported by X41 D-Sec.
3527 - Fix OOB Read in sldns_wire2str_dname_scan(),
3528 reported by X41 D-Sec.
3529 - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
3530 reported by X41 D-Sec.
3531 - Fix Out of Bounds Write in sldns_b64_pton(),
3533 reported by X41 D-Sec.
3534 - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
3535 reported by X41 D-Sec.
3536 - Fix Out of Bound Write Compressed Names in rdata_copy(),
3537 reported by X41 D-Sec.
3538 - Fix Hang in sldns_wire2str_pkt_scan(),
3539 reported by X41 D-Sec.
3541 - Fix snprintf() supports the n-specifier,
3542 reported by X41 D-Sec.
3543 - Fix Bad Indentation, in dnscrypt.c,
3544 reported by X41 D-Sec.
3545 - Fix Client NONCE Generation used for Server NONCE,
3546 reported by X41 D-Sec.
3547 - Fix compile error in dnscrypt.
3548 - Fix _vfixed not Used, removed from sbuffer code,
3549 reported by X41 D-Sec.
3550 - Fix Hardcoded Constant, reported by X41 D-Sec.
3551 - make depend
3554 - Merge pull request #122 from he32: In tcp_callback_writer(),
3555 don't disable time-out when changing to read.
3558 - Fix compiler warnings.
3561 - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
3562 - Add make distclean that removes everything configure produced,
3563 and make maintainer-clean that removes bison and flex output.
3566 - Fix Out of Bounds Read in rrinternal_get_owner(),
3567 reported by X41 D-Sec.
3568 - Fix Race Condition in autr_tp_create(),
3569 reported by X41 D-Sec.
3570 - Fix Shared Memory World Writeable,
3571 reported by X41 D-Sec.
3572 - Adjust unbound-control to make stats_shm a read only operation.
3573 - Fix Weak Entropy Used For Nettle,
3574 reported by X41 D-Sec.
3575 - Fix Randomness Error not Handled Properly,
3576 reported by X41 D-Sec.
3577 - Fix Out-of-Bounds Read in dname_valid(),
3578 reported by X41 D-Sec.
3579 - Fix Config Injection in create_unbound_ad_servers.sh,
3580 reported by X41 D-Sec.
3581 - Fix Local Memory Leak in cachedb_init(),
3582 reported by X41 D-Sec.
3583 - Fix Integer Underflow in Regional Allocator,
3584 reported by X41 D-Sec.
3585 - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
3586 - Synchronize compat/getentropy_win.c with version 1.5 from
3588 - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
3589 - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
3590 - Changes to compat/getentropy files for,
3596 - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
3597 - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
3598 - Fix Terminating Quotes not Written, reported by X41 D-Sec.
3599 - Fix Useless memset() in validator, reported by X41 D-Sec.
3600 - Fix Unrequired Checks, reported by X41 D-Sec.
3601 - Fix Enum Name not Used, reported by X41 D-Sec.
3602 - Fix NULL Pointer Dereference via Control Port,
3603 reported by X41 D-Sec.
3604 - Fix Bad Randomness in Seed, reported by X41 D-Sec.
3605 - Fix python examples/calc.py for eval, reported by X41 D-Sec.
3606 - Fix comments for doxygen in dns64.
3609 - Fix CVE-2019-18934, shell execution in ipsecmod.
3610 - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
3611 - Fix authzone printout buffer length check.
3612 - Fixes to please lint checks.
3613 - Fix Integer Overflow in Regional Allocator,
3614 reported by X41 D-Sec.
3615 - Fix Unchecked NULL Pointer in dns64_inform_super()
3616 and ipsecmod_new(), reported by X41 D-Sec.
3617 - Fix Out-of-bounds Read in rr_comment_dnskey(),
3618 reported by X41 D-Sec.
3619 - Fix Integer Overflows in Size Calculations,
3620 reported by X41 D-Sec.
3621 - Fix Integer Overflow to Buffer Overflow in
3622 sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
3623 - Fix Out of Bounds Read in sldns_str2wire_dname(),
3624 reported by X41 D-Sec.
3625 - Fix Out of Bounds Write in sldns_bget_token_par(),
3626 reported by X41 D-Sec.
3629 - In unbound-host use separate variable for get_option to please
3631 - update to bison output of 3.4.1 in code repository.
3632 - Provide a prototype for compat malloc to remove compile warning.
3633 - Portable grep usage for reuseport configure test.
3634 - Check return type of HMAC_Init_ex for openssl 0.9.8.
3635 - gitignore .source tempfile used for compatible make.
3638 - iana portlist updated.
3639 - contrib/fastrpz.patch updated to apply for current code.
3640 - fixes for splint cleanliness, long vs int in SSL set_mode.
3643 - Fix #109: check number of arguments for stdin-pipes in
3644 unbound-control and fail if too many arguments.
3645 - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
3648 - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
3651 - Add new configure option `--enable-fully-static` to enable full static
3655 - Merge #97: manpage: Add missing word on unbound.conf,
3659 - drop-tld.diff: adds option drop-tld: yesno that drops 2 label
3661 patch -p1 < contrib/drop-tld.diff and compile.
3667 - Add doxygen comments to unbound-anchor source address code, in #86.
3670 - Merge #90 from vcunat: fix build with nettle-3.5.
3671 - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
3672 - Continue with development of 1.9.5.
3673 - Merge #86 from psquarejho: Added -b source address option to
3674 smallapp/unbound-anchor.c, from Lukas Wunner.
3677 - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
3681 - The unbound.conf includes are sorted ascending, for include
3685 - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
3689 - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
3691 - Merge #81 from Maryse47: Consistently use /dev/urandom instead
3693 - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
3697 - Fix #78: Memory leak in outside_network.c.
3698 - Merge pull request #76 from Maryse47: Improvements and fixes for
3700 - oss-fuzz badge on README.md.
3701 - Fix fix for #78 to also free service callback struct.
3702 - Fix for oss-fuzz build warning.
3703 - Fix wrong response ttl for prepended short CNAME ttls, this would
3704 create a wrong zero_ttl response count with serve-expired enabled.
3705 - Merge #80 from stasic: Improve wording in man page.
3708 - Use explicit bzero for wiping clear buffer of hash in cachedb,
3709 reported by Eric Sesterhenn from X41 D-Sec.
3712 - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
3717 - Fix #71: fix openssl error squelch commit compilation error.
3720 - squelch DNS over TLS errors 'ssl handshake failed crypto error'
3726 - ipset module #28: log that an address is added, when verbosity high.
3727 - ipset: refactor long routine into three smaller ones.
3728 - updated Makefile dependencies.
3731 - Fix contrib/fastrpz.patch asprintf return value checks.
3734 - Fix that pkg-config is setup before --enable-systemd needs it.
3735 - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release.
3739 - Fix log_dns_msg to log irrespective of minimal responses config.
3742 - Document limitation of pidfile removal outside of chroot directory.
3745 - Fix unittest valgrind false positive uninitialised value report,
3746 where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
3750 valgrinds --expensive-definedness-checks=yes can stop this false
3752 - Please doxygen's parser for "@" occurrence in doxygen comment.
3753 - Fixup contrib/fastrpz.patch
3754 - Remove warning about unknown cast-function-type warning pragma.
3757 - iana portlist updated.
3758 - Fix autotrust temp file uniqueness windows compile.
3759 - avoid warning about upcast on 32bit systems for autotrust.
3760 - escape commandline contents for -V.
3761 - Fix character buffer size in ub_ctx_hosts.
3762 - 1.9.3rc1 release candidate tag.
3763 - Option -V prints if TCP fastopen is available.
3766 - Fix #59, when compiled with systemd support check that we can properly
3770 - Generate configlexer with newer flex.
3771 - Fix warning for unused variable for compilation without systemd.
3774 - Introduce `-V` option to print the version number and build options.
3776 are now moved from `-h` to `-V` as well for consistency.
3777 - PACKAGE_BUGREPORT now also includes link to GitHub issues.
3780 - For #52 #53, second context does not close logfile override.
3781 - Fix #52 #53, fix for example fail program.
3782 - Fix to return after failed auth zone http chunk write.
3783 - Fix to remove unused test for task_probe existance.
3784 - Fix to timeval_add for remaining second in microseconds.
3785 - Check repinfo in worker_handle_request, if null, drop it.
3788 - Add verbose log message when auth zone file is written, at level 4.
3789 - Add hex print of trust anchor pointer to trust anchor file temp
3793 - Fix question section mismatch in local zone redirect.
3796 - Fix #49: Set no renegotiation on the SSL context to stop client
3800 - Fix #48: Unbound returns additional records on NODATA response,
3801 if minimal-responses is enabled, also the additional for negative
3805 - Fix in respip addrtree selection. Absence of addr_tree_init_parents()
3810 - Fix for possible assertion failure when answering respip CNAME from
3814 - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
3815 when do-not-query-localhost is turned on, or at default on,
3816 unbound-checkconf prints a warning if it is found in forward-addr or
3817 stub-addr statements.
3820 - Fix memleak in unit test, reported from the clang 8.0 static analyzer.
3823 - PR #28: IPSet module, by Kevin Chou. Created a module to support
3825 Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
3826 - Fix to omit RRSIGs from addition to the ipset.
3827 - Fix to make unbound-control with ipset, remove unused variable,
3830 - make depend
3831 - Added documentation to the ipset files (for doxygen output).
3832 - Merge PR #6: Python module: support multiple instances
3833 - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
3834 - Merge PR #4: Python module: assign something useful to the
3835 per-query data store 'qdata'
3836 - Fix python dict reference and double free in config.
3839 - Master contains version 1.9.3 in development.
3840 - Fix #39: In libunbound, leftover logfile is close()d unpredictably.
3841 - Fix for #24: Fix abort due to scan of auth zone masters using old
3845 - Fix another spoolbuf storage code point, in prefetch.
3846 - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release
3850 - Fix that fixes the Fix that spoolbuf is not used to store tcp
3853 - 1.9.2rc2 release candidate tag.
3856 - 1.9.2rc1 release candidate tag.
3859 - iana portlist updated.
3862 - Fix to guard _OPENBSD_SOURCE from redefinition.
3865 - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
3866 - gitignore config.h.in~.
3869 - Fix double file close in tcp pipelined response code.
3872 - Fix that spoolbuf is not used to store tcp pipelined response
3876 - Note that so-reuseport at extreme load is better turned off,
3880 - Fix #31: swig 4.0 and python module.
3883 - Squelch log messages from tcp send about connection reset by peer.
3886 - Attempt to fix malformed tcp response.
3889 - Revert fix for oss-fuzz, error is in that build script that
3894 - Attempt to fix build failure in oss-fuzz because of reallocarray.
3895 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
3899 - Fix edns-subnet locks, in error cases the lock was not unlocked.
3900 - Fix doxygen output error on readme markdown vignettes.
3903 - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
3904 - Fix #30: AddressSanitizer finding in lookup3.c. This sets the
3911 - contrib/fastrpz.patch updated for code changes, and with git diff.
3912 - Fix .gitignore, add pythonmod and dnstap generated files.
3916 - Update makedist for git.
3917 - Nicer travis output for clang analysis.
3918 - PR #16: XoT support, AXFR over TLS, turn it on with
3923 - Fix wrong query name in local zone redirect answers with a CNAME,
3927 - Scrub RRs from answer section when reusing NXDOMAIN message for
3929 - For harden-below-nxdomain: do not consider a name to be non-exitent
3933 - travis build file.
3936 - Better braces in if statement in TCP fastopen code.
3937 - iana portlist updated.
3940 - Fix tls write event for read state change to re-call SSL_write and
3944 - Update python documentation for init_standard().
3945 - Typos.
3948 - Fix that auth zone uses correct network type for sockets for
3951 - Fix that auth zone fails over to next master for timeout in tcp.
3952 - Squelch SSL read and write connection reset by peer and broken pipe
3956 - Fix to use event_assign with libevent for thread-safety.
3957 - verbose information about auth zone lookup process, also lookup
3959 - Fix #17: Add python module example from Jan Janak, that is a
3964 - Fix to wipe ssl ticket keys from memory with explicit_bzero,
3968 - Fix to reinit event structure for accepted TCP (and TLS) sockets.
3971 - Fix spelling error in log output for event method.
3974 - Move goto label in answer_from_cache to the end of the function
3976 - Fix auth-zone NSEC3 response for wildcard nodata answers,
3980 - Fix auth-zone NSEC3 response for empty nonterminals with exact
3982 - Fix for out of bounds integers, thanks to OSTIF audit. It is in
3984 - Fix for auth zone nsec3 ent fix for wildcard nodata.
3987 - Fix that tls-session-ticket-keys: "" on its own in unbound.conf
3989 - Fix crash if tls-servic-pem not filled in when necessary.
3992 - Fix #4240: Fix whitespace cleanup in example.conf.
3995 - add type CAA to libpyunbound (accessing libunbound from python).
3998 - Add log message, at verbosity 4, that says the query is encrypted
4000 - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
4003 - Fix for #4233: guard use of NDEBUG, so that it can be passed in
4007 - Tag release 1.9.1rc1. Which became 1.9.1 on 12 March 2019. Trunk
4011 - output forwarder log in ssl_req_order test.
4014 - Remove memory leak on pythonmod python2 script file init.
4015 - Remove swig gcc8 python function cast warnings, they are ignored.
4016 - Print correct module that failed when module-config is wrong.
4019 - Fix #4229: Unbound man pages lack information, about access-control
4021 - Fix #14: contrib/unbound.init: Fix wrong comparison judgment
4023 - Fix for python module on Windows, fix fopen.
4026 - Fix #4227: pair event del and add for libevent for tcp_req_info.
4029 - Fix the error for unknown module in module-config is understandable,
4031 - In example.conf explain where to put cachedb module in module-config.
4032 - In man page and example config explain that most modules have to
4033 be listed at the start of module-config.
4036 - Fix pythonmod include and sockaddr_un ifdefs for compile on
4040 - Print query name with ip_ratelimit exceeded log lines.
4041 - Spaces instead of tabs in that log message.
4042 - Print query name and IP address when domain rate limit exceeded.
4045 - Fix capsforid canonical sort qsort callback.
4048 - Note default for module-config in man page.
4049 - Fix recursion lame test for qname minimisation asked queries,
4051 - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
4053 - make depend, with newer gcc, nicer layout.
4056 - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
4057 - Fix that qname minimisation does not skip a label when missing
4059 - Fix #4225: clients seem to erroneously receive no answer with
4060 DNS-over-TLS and qname-minimisation.
4063 - Fix that log-replies prints the correct name for local-alias
4064 names, for names that have a CNAME in local-data configuration.
4066 - Add local-zone type inform_redirect, which logs like type inform,
4068 - Perform canonical sort for 0x20 capsforid compare of replies,
4073 - Set ub_ctx_set_tls call signature in ltrace config file for
4075 - improve documentation for tls-service-key and forward-first.
4076 - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
4078 - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
4081 - #8: Fix OpenSSL without ENGINE support compilation.
4082 - Wipe TLS session key data from memory on exit.
4085 - Fix case in which query timeout can result in marking delegation
4089 - Fix spelling of tls-ciphers in example.conf.in.
4090 - Fix #4224: auth_xfr_notify.rpl test broken due to typo
4091 - Fix locking for libunbound context setup with broken port config.
4094 - ub_ctx_set_tls call for libunbound that enables DoT for the machines
4096 - Set build system for added call in the libunbound API.
4097 - List example config for root zone copy locally hosted with auth-zone
4098 as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
4100 - set version to 1.9.0 for release. And this was released with the
4101 spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
4105 - Fix that tcp for auth zone and outgoing does not remove and
4107 - updated contrib/fastrpz.patch to cleanly diff.
4108 - no lock when threads disabled in tcp request buffer count.
4109 - remove compile warnings from libnettle compile.
4110 - output of newer lex 2.6.1 and bison 3.0.5.
4113 - Newer aclocal and libtoolize used for generating configure scripts,
4115 - Fix unit test for python 3.7 new keyword 'async'.
4116 - clang analysis fixes, assert arc4random buffer in init,
4124 - Patch from Florian Obser fixes some compiler warnings:
4144 - Moved includes and make depend.
4147 - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
4149 - Fixes for the patch, and man page entry.
4150 - Fix configure to detect SSL_CTX_set_ciphersuites, for better
4152 - Patch for TLS session resumption from Manabu Sonoda,
4153 enable with tls-session-ticket-keys in unbound.conf.
4154 - Fixes for patch (includes, declarations, warnings). Free at end
4157 - Fix for IXFR fallback to reset counter when IXFR does not timeout.
4160 - Fix space calculation for tcp req buffer size.
4161 - Doc for stream-wait-size and unit test.
4162 - unbound-control stats has mem.streamwait that counts TCP and TLS
4164 - Fix for #4219: secondaries not updated after serial change, unbound
4166 - Fix that auth zone after IXFR fallback tries the same master.
4169 - Fix tcp idle timeout test, for difference in the tcp reply code.
4170 - Unit test for tcp request reorder and timeouts.
4171 - Unit tests for ssl out of order processing.
4172 - Fix that multiple dns fragments can be carried in one TLS frame.
4173 - Add stream-wait-size: 4m config option to limit the maximum
4178 - For caps-for-id fallback, use the whitelist to avoid timeout
4180 - increase mesh max activation count for capsforid long fetches.
4183 - Get ready for the DNS flag day: remove EDNS lame procedure, do not
4184 re-query without EDNS after timeout.
4187 - In the out of order processing, reset byte count for (potential)
4189 - Review fixes in out of order processing.
4192 - streamtcp option -a send queries consecutively and prints answers
4194 - Fix for out of order processing administration quit cleanup.
4195 - unit test for tcp out of order processing.
4198 - Initial commit for out-of-order processing for TCP and TLS.
4201 - Log query name for looping module errors.
4204 - Fix syntax in comment of local alias processing.
4205 - Fix NSEC3 record that is returned in wildcard replies from
4206 auth-zone zones with NSEC3 and wildcards.
4209 - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
4211 - Document interaction between the tls-upstream option in the server
4212 section and forward-tls-upstream option in the forward-zone sections.
4213 - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
4217 - Fix for crash in dns64 module if response is null.
4220 - Fix config parser memory leaks.
4221 - ip-ratelimit-factor of 1 allows all traffic through, instead of the
4223 - Fix for FreeBSD port make with dnscrypt and dnstap enabled.
4224 - Fix #4206: support openssl 1.0.2 for TLS hostname verification,
4226 - Fixup openssl 1.0.2 compile
4229 - Fix dns64 allocation in wrong region for returned internal queries.
4232 - Fix icon, no ragged edges and nicer resolutions available, for eg.
4234 - cache-max-ttl also defines upperbound of initial TTL in response.
4237 - Patch for typo in unbound.conf man page.
4238 - log-tag-queryreply: yes in unbound.conf tags the log-queries and
4239 log-replies in the log file for easier log filter maintenance.
4242 - iana portlist updated.
4243 - Fix chroot auth-zone fix to remove chroot prefix.
4244 - tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
4248 - Fix that unbound-checkconf does not complains if the config file
4250 - Refuse to start with no ports.
4251 - Remove clang analysis warnings.
4254 - Fix leak in chroot fix for auth-zone.
4255 - Fix clang analysis for outside directory build test.
4258 - Fix DNS64 to not store intermediate results in cache, this avoids
4261 - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
4262 - New and better fix for Fix #4193: Fix that prefetch failure does
4264 - auth-zone give SERVFAIL when expired, fallback activates when
4266 - stat count SERVFAIL downstream auth-zone queries for expired zones.
4267 - Put new logos into windows installer.
4268 - Fix windows compile for new rrset roundrobin fix.
4269 - Update contrib fastrpz patch for latest release.
4272 - Fix to not set GLOB_NOSORT so the unbound.conf include: files are
4274 - Fix #4193: Fix that prefetch failure does not overwrite valid cache
4276 - Add unbound-control view_local_datas command, like local_datas.
4277 - Fix that unbound-control can send file for view_local_datas.
4280 - With ./configure --with-pyunbound --with-pythonmodule
4283 - pythonmod logs the python error and traceback on failure.
4284 - ignore debug python module for test in doxygen output.
4285 - review fixes for python module.
4286 - Fix #4209: Crash in libunbound when called from getdns.
4287 - auth zone zonefiles can be in a chroot, the chroot directory
4289 - Fix that empty zonefile means the zonefile is not set and not used.
4290 - make depend.
4293 - Scrub NS records from NODATA responses as well.
4296 - Scrub NS records from NXDOMAIN responses to stop fragmentation
4298 - Add patch from Jan Vcelak for pythonmod,
4301 - Removed compile warnings in pythonmod sockaddr routines.
4304 - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
4308 - Bugfix min-client-subnet-ipv6
4311 - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
4314 - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
4315 - Fix #4190: Please create a "ANY" deny option, adds the option
4316 deny-any: yes in unbound.conf. This responds with an empty message
4318 - Fix #4141: More randomness to rrset-roundrobin.
4319 - Fix #4132: Openness/closeness of RANGE intervals in rpl files.
4320 - Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
4321 adds the option unknown-server-time-limit to unbound.conf that
4323 - remade makefile dependencies.
4324 - Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
4327 - Add markdel function to ECS slabhash.
4328 - Limit ECS scope returned to client to the scope used for caching.
4329 - Make lint like previous #4154 fix.
4332 - Fix #4192: unbound-control-setup generates keys not readable by
4334 - check that the dnstap socket file can be opened and exists, print
4336 - Fix #4154: make ECS_MAX_TREESIZE configurable, with
4337 the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
4340 - Change fast-server-num default to 3.
4343 - Add fast-server-permil and fast-server-num options.
4344 - Deprecate low-rtt and low-rtt-permil options.
4347 - Squelch log of failed to tcp initiate after TCP Fastopen failure.
4350 - Squelch EADDRNOTAVAIL errors when the interface goes away,
4353 - Set default for so-reuseport to no for FreeBSD. It is enabled
4356 - iana port update.
4359 - updated contrib/fastrpz.patch to apply for this version
4360 - dnscrypt.c removed sizeof to get array bounds.
4361 - Fix testlock code to set noreturn on error routine.
4362 - Remove unused variable from contrib fastrpz/rpz.c and
4364 - clang analyze test is used only when assertions are enabled.
4367 - tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with
4371 - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
4376 - Perform TLS SNI indication of the host that is being contacted
4380 - Fix #4149: Add SSL cleanup for tcp timeout.
4383 - Fix compile on Mac for unbound, provide explicit_bzero when libc
4385 - Fix unbound for openssl in FIPS mode, it uses the digests with
4387 - Fix that with harden-below-nxdomain and qname minisation enabled
4390 - Stop UDP to TCP failover after timeouts that causes the ping count
4393 - Fix #4156: Fix systemd service manager state change notification.
4396 - Fix seed for random backup code to use explicit zero when wiped.
4397 - exit log routine is annotated as noreturn function.
4398 - free memory leaks in config strlist and str2list insert functions.
4399 - do not move unused argv variable after getopt.
4400 - Remove unused if clause in testcode.
4401 - in testcode, free async ids, initialise array, and check for null
4404 - Free memory leak in config strlist append.
4405 - make sure nsec3 comparison salt is initialized.
4406 - unit test has clang analysis.
4407 - remove unused variable assignment from iterator scrub routine.
4408 - check for null in delegation point during iterator refetch
4410 - neater pointer cast in libunbound context quit routine.
4411 - initialize statistics totals for printout.
4412 - in authzone check that node exists before adding rrset.
4413 - in unbound-anchor, use readwrite memory BIO.
4414 - assertion in autotrust that packed rrset is formed correctly.
4415 - Fix memory leak when message parse fails partway through copy.
4416 - remove unused udpsize assignment in message encode.
4417 - nicer bio free code in unbound-anchor.
4418 - annotate exit functions with noreturn in unbound-control.
4421 - Fixed unused return value warnings in contrib/fastrpz.patch for
4423 - Fix to squelch respip warning in unit test, it is printed at
4425 - Fix spelling errors.
4426 - Fix initialisation in remote.c
4429 - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
4430 - iana port update.
4433 - Fix spelling error in header, from getdns commit by Andreas Gelmini.
4436 - More explicitly mention the type of ratelimit when applying
4437 ip-ratelimit.
4440 - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
4443 - Disable minimal-responses in subnet unit tests.
4446 - Fix that a local-zone with a local-zone-type that is transparent
4447 in a view with view-first, makes queries check for answers from the
4448 local-zones defined outside of views.
4451 - Disable minimal-responses in ipsecmod unit tests.
4452 - Added serve-expired-ttl and serve-expired-ttl-reset options.
4455 - Set defaults to yes for a number of options to increase speed and
4456 resilience of the server. The so-reuseport, harden-below-nxdomain,
4457 and minimal-responses options are enabled by default. They used
4462 otherwise harmless. The harden-below-nxdomain option works well
4465 - next release is called 1.8.0.
4466 - Fix lintflags for lint on FreeBSD.
4469 - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
4476 - log-local-actions: yes option for unbound.conf that logs all the
4478 - #4146: num.query.subnet and num.query.subnet_cache counters.
4479 - Fix only misc failure from log-servfail when val-log-level is not
4483 - Fix classification for QTYPE=CNAME queries when QNAME minimisation is
4487 - Set libunbound to increase current, because the libunbound change
4490 - print servfail info to log as error.
4491 - added more servfail printout statements, to the iterator.
4492 - log-servfail: yes prints log lines that say why queries are
4496 - Fix warning on compile without threads.
4497 - Fix contrib/fastrpz.patch.
4500 - Fix segfault in auth-zone read and reorder of RRSIGs.
4503 - Fix that printout of error for cycle targets is a verbosity 4
4505 - Upgraded crosscompile script to include libunbound DLL in the
4509 - Fix #4144: dns64 module caches wrong (negative) information.
4512 - unbound-checkconf checks if modules exist and prints if they are
4514 - document --enable-subnet in doc/README.
4515 - Patch for stub-no-cache and forward-no-cache options that disable
4520 - Make capsforid fallback QNAME minimisation aware.
4523 - Fix #4142: unbound.service.in: improvements and fixes.
4524 Add unit dependency ordering (based on systemd-resolved).
4529 - Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
4532 - make depend, yacc, lex, doc, headers. And log the limit exceeded
4537 - Fix for #4136: Fix to unconditionally call destroy in daemon.c.
4540 - Expose if a query (or a subquery) was ratelimited (not src IP
4543 libunbound/unbound-event.h.
4544 - Tidy pylib tests.
4547 - Revert previous change for #4136: because it introduces build
4549 - New fix for #4136: This one ignores lex without without
4553 - Fix to remove systemd sockaddr function check, that is not
4556 - iana port list update.
4559 - Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
4560 - Sort out test runs when the build directory isn't the project
4562 - Add config tcp-idle-timeout (default 30s). This applies to
4565 - Error if EDNS Keepalive received over UDP.
4566 - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
4568 - Correct and expand manual page entries for keepalive and idle timeout.
4569 - Implement progressive backoff of TCP idle/keepalive timeout.
4570 - Fix 'make depend' to work when build dir is not project root.
4571 - Add delay parameter to streamtcp, -d secs.
4573 - From Wouter: make depend, the dependencies in the patches did not
4575 - Fix mesh.c incompatible pointer pass.
4576 - Please doxygen so it passes.
4577 - Fix #4139: Fix unbound-host leaks memory on ANY.
4580 - Fix #4136: insufficiency from mismatch of FLEX capability between
4584 - Fix man page, say that chroot is enabled by default.
4587 - Fix #4135: 64-bit Windows Installer Creates Entries Under The
4591 - Fix use-systemd readiness signalling, only when use-systemd is yes
4595 - Fix #4130: print text describing -dd and unbound-checkconf on
4598 - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
4601 - Fix #4129 unbound-control error message with wrong cert permissions
4605 - Fix #4127 unbound -h does not list -p help.
4606 - Print error if SSL name verification configured but not available
4608 - Fix that ratelimit and ip-ratelimit are applied after reload of
4610 - Resize ratelimit and ip-ratelimit caches if changed on reload.
4613 - Fix qname minimisation NXDOMAIN validation lookup failures causing
4615 - Squelch can't bind socket errors with Permission denied unless
4619 - Fix to improve systemd socket activation code file descriptor
4621 - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
4625 - Note in documentation that the cert name match code needs
4629 - Fix documentation ambiguity for tls-win-cert in tls-upstream and
4630 forward-tls-upstream docs.
4631 - iana port update.
4632 - Note RFC8162 support. SMIMEA record type can be read in by the
4634 - Fix round robin for failed addresses with prefer-ip6: yes
4637 - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
4638 if DNSSEC is not enabled. New option -R allows fallback from
4642 - Better documentation for unblock-lan-zones and insecure-lan-zones
4644 - Fix permission denied printed for auth zone probe random port nrs.
4647 - Fix checking for libhiredis printout in configure output.
4648 - Fix typo on man page in ip-address description.
4649 - Update libunbound/python/examples/dnssec_test.py example code to
4653 - dns64-ignore-aaaa: config option to list domain names for which the
4658 - num.queries.tls counter for queries over TLS.
4659 - log port number with err_addr logs.
4662 - #4109: Fix that package config depends on python unconditionally.
4663 - Patch, do not export python from pkg-config, from Petr Menšík.
4666 - Partial fix for permission denied on IPv6 address on FreeBSD.
4667 - Fix that auth-zone master reply with current SOA serial does not
4669 - Fix that auth-zone does not start the wait timer without checking
4673 - #4108: systemd reload hang fix.
4674 - Fix usage printout for unbound-host, hostname has to be last
4678 - Fix for unbound-control on Windows and set TCP socket parameters
4681 - Windows example service.conf edited with more windows specific
4683 - Fix windows unbound-control no cert bad file descriptor error.
4687 - Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
4689 - Fix unbound-checkconf for control-use-cert.
4693 - tag for 1.7.3rc1.
4694 - trunk has 1.7.4.
4695 - unbound-control auth_zone_reload _zone_ option rereads the zonefile.
4696 - unbound-control auth_zone_transfer _zone_ option starts the probe
4701 - #4103: Fix that auth-zone does not insist on SOA record first in
4703 - Fix that first control-interface determines if TLS is used. Warn
4705 - Fix nettle compile.
4708 - Don't count CNAME response types received during qname minimisation as
4712 - #4102 for NSD, but for Unbound. Named unix pipes do not use
4714 directory permissions. The option control-use-cert is no longer
4716 - Rename tls-additional-ports to tls-additional-port, because every
4718 - Fix buffer size warning in unit test.
4719 - remade dependencies in the Makefile.
4722 - Patch to fix openwrt for mac os build darwin detection in configure.
4725 - Fix crash if ratelimit taken into use with unbound-control
4729 - Fix deadlock caused by incoming notify for auth-zone.
4730 - tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
4732 - #4100: Fix stub reprime when it becomes useless.
4735 - Rename additional-tls-port to tls-additional-ports.
4739 - Patch from Syzdek: Add ability to ignore RD bit and treat all
4743 - in compat/arc4random call getentropy_urandom when getentropy fails
4745 - Fix that fallback for windows port.
4748 - Fix windows tcp and tls spin on events.
4749 - Add routine from getdns to add windows cert store to the SSL_CTX.
4750 - tls-win-cert option that adds the system certificate store for
4751 authenticating DNS-over-TLS connections. It can be used instead
4752 of the tls-cert-bundle option, or with it to add certificates.
4755 - For TCP and TLS connections that don't establish, perform address
4757 - Fix that tcp sticky events are removed for closed fd on windows.
4758 - Fix close events for tcp only.
4761 - Fix that libunbound can do DNS-over-TLS, when configured.
4762 - Fix that windows unbound service can use DNS-over-TLS.
4763 - unbound-host initializes ssl (for potential DNS-over-TLS usage
4764 inside libunbound), when ssl upstream or a cert-bundle is configured.
4767 - Use accept4 to speed up incoming TCP (and TLS) connections,
4771 - Qname minimisation default changed to yes.
4774 - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
4777 - Fix contrib/libunbound.pc for libssl libcrypto references,
4781 - Fix windows to not have sticky TLS events for TCP.
4782 - Fix read of DNS over TLS length and data in one read call.
4783 - Fix mesh state assertion failure due to callback removal.
4786 - Fix that configure --with-libhiredis also turns on cachedb.
4787 - Fix gcc 8 buffer warning in testcode.
4788 - Fix function type cast warning in libunbound context callback type.
4791 - Fix fail to reject dead peers in forward-zone, with ssl-upstream.
4794 - Fix that unbound-control reload frees the rrset keys and returns
4798 - Fix spelling error in man page and note defaults as no instead of
4802 - Fix for crash in daemon_cleanup with dnstap during reload,
4804 - Also that for dnscrypt.
4805 - tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
4809 - Fix memory leak when caching wildcard records for aggressive NSEC use
4812 - Fix contrib/fastrpz.patch for this release.
4813 - Fix auth https for libev.
4816 - Added root-key-sentinel support
4819 - makedist uses bz2 for expat code, instead of tar.gz.
4820 - Fix #4092: libunbound: use-caps-for-id lacks colon in
4822 - auth zone http download stores exact copy of downloaded file,
4824 - Fix sldns parse failure for CDS alternate delete syntax empty hex.
4825 - Attempt for auth zone fix; add of callback in mesh gets from
4827 - Fix cname classification with qname minimisation enabled.
4828 - list_auth_zones unbound-control command.
4831 - man page documentation for dns-over-tls forward-addr '#' notation.
4832 - removed free from failed parse case.
4833 - Fix #4091: Fix that reload of auth-zone does not merge the zonefile
4835 - Delete auth zone when removed from config.
4838 - Can set tls authentication with forward-addr: IP#tls.auth.name
4839 And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
4840 such as forward-addr: 9.9.9.9@853#dns.quad9.net or
4841 1.1.1.1@853#cloudflare-dns.com
4842 - Fix #658: unbound using TLS in a forwarding configuration does not
4844 - For addr with #authname and no @port notation, the default is 853.
4847 - Fix auth-zone retry timer to be on schedule with retry timeout,
4851 - auth zone notify work.
4852 - allow-notify: config statement for auth-zones.
4853 - unit test for allow-notify
4856 - Fix auth zone target lookup iterator.
4857 - auth zone notify with prefix
4858 - auth zone notify work.
4861 - Fix for max include depth for authzones.
4862 - Fix memory free on fail for $INCLUDE in authzone.
4863 - Fix that an internal error to look up the wrong rr type for
4865 - auth zone notify work.
4868 - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
4872 - documentation for low-rtt and low-rtt-pct.
4873 - auth zone notify work.
4876 - Fix that flush_zone sets prefetch ttl expired, so that with
4877 serve-expired enabled it'll start prefetching those entries.
4878 - num.query.authzone.up and num.query.authzone.down statistics counters.
4879 - Fix downstream auth zone, only fallback when auth zone fails to
4881 - Accept both option names with and without colon for get_option
4883 - low-rtt and low-rtt-pct in unbound.conf enable the server selection
4887 - Combine write of tcp length and tcp query for dns over tls.
4888 - nitpick fixes in example.conf.
4889 - Fix above stub queries for type NS and useless delegation point.
4890 - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
4893 - ED448 support.
4896 - Fix #4043: make test fails due to v6 presentation issue in macOS.
4897 - Fix unable to resolve after new WLAN connection, due to auth-zone
4898 failing with a forwarder set. Now, auth-zone is only used for
4902 - Check "result" in dup_all(), by Florian Obser.
4905 - Fix unbound-control get_option aggressive-nsec
4908 - Do not use cached NSEC records to generate negative answers for
4912 - iana port update.
4915 - corrected a minor typo in the changelog.
4916 - move htobe64/be64toh portability code to cachedb.c.
4919 - Add --with-libhiredis, unbound support for a new cachedb backend
4921 depends on the hiredis client library (https://redislabs.com/lp/hiredis/).
4922 And unbound should be built with both --enable-cachedb and
4923 --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
4925 - Fix #3817: core dump happens in libunbound delete, when queued
4927 - Create additional tls service interfaces by opening them on other
4928 portnumbers and listing the portnumbers as additional-tls-port: nr.
4931 - Fix typo in documentation.
4932 - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
4933 flushed with serve-expired on.
4936 - Added documentation for aggressive-nsec: yes.
4937 - tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
4939 - Fix #3727: Protocol name is TLS, options have been renamed but
4941 - Check IXFR start serial.
4944 - Fix #3598: Fix swig build issue on rhel6 based system.
4945 configure --disable-swig-version-check stops the swig version check.
4948 - tag 1.7.0rc2.
4951 - Fixed contrib/fastrpz.patch, even though this already applied
4953 - patch to log creates keytag queries, from A. Schulze.
4954 - patch suggested by Debian lintian: allow to -> allow one to, from
4956 - Attempt to remove warning about trailing whitespace.
4959 - Reverted fix for #3512, this may not be the best way forward;
4962 - svn trunk contains 1.7.0, this is the number for the next release.
4963 - Fix for windows compile.
4964 - tag 1.7.0rc1.
4967 - Fix to check define of DSA for when openssl is without deprecated.
4968 - iana port update.
4969 - Fix #3582: Squelch address already in use log when reuseaddr option
4973 - Fixup contrib/fastrpz.patch so that it applies.
4974 - Fix compile without threads, and remove unused variable.
4975 - Fix compile with staticexe and python module.
4976 - Fix nettle compile.
4979 - Save wildcard RRset from answer with original owner for use in
4983 - Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
4985 - Fix validation for CNAME loops. When it detects a cname loop,
4988 - more robust cachedump rrset routine.
4991 - Fix #3505: Documentation for default local zones references
4993 - Fix #3494: local-zone noview can be used to break out of the view
4995 - Fix for more maintainable code in localzone.
4998 - Fixes for clang static analyzer, the missing ; in
4999 edns-subnet/addrtree.c after the assert made clang analyzer
5003 - Aggressive NSEC tests
5006 - tls-cert-bundle option in unbound.conf enables TLS authentication.
5007 - iana port update.
5010 - Unit test for auth zone https url download.
5013 - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
5014 - Processed aggressive NSEC code review remarks Wouter
5017 - Aggressive use of NSEC implementation. Use cached NSEC records to
5021 - iana port update.
5022 - auth zone url config.
5025 - Fix #3451: dnstap not building when you have a separate build dir.
5027 - auth-zone provides a way to configure RFC7706 from unbound.conf,
5028 eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
5029 fallback-enabled: yes and masters or a zonefile with data.
5032 - Fix unfreed locks in log and arc4random at exit of unbound.
5033 - unit test with valgrind
5034 - Fix lock race condition in dns cache dname synthesis.
5035 - lock subnet new item before insertion to please checklocks,
5039 - fix unaligned structure making a false positive in checklock
5043 - Use NSEC with longest ce to prove wildcard absence.
5044 - Only use *.ce to prove wildcard absence, no longer names.
5047 - ltrace.conf file for libunbound in contrib.
5050 - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
5052 - Print fatal errors about remote control setup before log init,
5056 - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
5057 also recognized and means the same. Also for tls-port,
5058 tls-service-key, tls-service-pem, stub-tls-upstream and
5059 forward-tls-upstream.
5060 - Fix #3397: Fix that cachedb could return a partial CNAME chain.
5061 - Fix #3397: Fix that when the cache contains an unsigned DNAME in
5066 - tag 1.6.8 for release with CVE fix.
5067 - trunk has 1.6.9 with fix and previous commits.
5068 - patch for CVE-2017-15105: vulnerability in the processing of
5070 - iana port update.
5071 - make depend: code dependencies updated in Makefile.
5074 - Copy query and correctly set flags on REFUSED answers when cache
5078 - Fix queries being leaked above stub when refetching glue.
5081 - Fix that DS queries with referral replies are answered straight
5085 - Remove clang optimizer disable,
5086 Fix that expiration date checks don't fail with clang -O2.
5089 - Fix timestamp failure because of clang optimizer failure, by
5090 disabling -O2 when the compiler --version is clang.
5091 - iana port update.
5092 - Also disable -flto for clang, to make incep-expi signature check
5096 - Fix qname-minimisation documentation (A QTYPE, not NS)
5099 - authzone work, transfer connect.
5102 - Check whether --with-libunbound-only is set when using --with-nettle
5103 or --with-nss.
5106 - Fix link failure on OmniOS.
5109 - auth zone work.
5112 - Fix #3299 - forward CNAME daisy chain is not working
5115 - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
5117 - auth xfer work on probe timer and lookup.
5120 - Fix #2801: Install libunbound.pc.
5121 - Fix qname minimisation to send AAAA queries at zonecut like type A.
5122 - reverted AAAA change.
5125 - Fix #2492: Documentation libunbound.
5128 - Fix #2362: TLS1.3/openssl-1.1.1 not working.
5129 - Fix #2034 - Autoconf and -flto.
5130 - Fix #2141 - for libsodium detect lack of entropy in chroot, print
5134 - Fix #1913: ub_ctx_config is under circumstances thread-safe.
5135 - make ip-transparent option work on OpenBSD.
5138 - Document that errno is left informative on libunbound config read
5140 - lexer output.
5141 - iana port update.
5144 - Fixed libunbound manual typo.
5145 - Fix #1949: [dnscrypt] make provider name mismatch more obvious.
5146 - Fix #2031: Double included headers
5149 - Update B root ipv4 address.
5152 - authzone work, probe timer setup.
5155 - lint for recent authzone commit.
5158 - Fix #1749: With harden-referral-path: performance drops, due to
5160 - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
5162 - [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
5172 The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
5174 - Better documentation for cache-max-negative-ttl.
5175 - Work on local root zone code.
5178 - tag 1.6.7
5179 - trunk has version 1.6.8.
5182 - Fix spelling in unbound-control man page.
5185 - Fix trust-anchor-signaling works in libunbound.
5186 - Fix some more crpls in testdata for different signaling default.
5187 - tag 1.6.7rc1
5190 - Set trust-anchor-signaling default to yes
5191 - Use RCODE from A query on DNS64 synthesized answer.
5194 - Fix param unused warning for windows exportsymbol compile.
5197 - Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
5201 - Log name of looping module
5204 - use a cachedb answer even if it's "expired" when serve-expired is yes
5206 - trigger refetching of the answer in that case (this will bypass
5208 - allow storing a 0-TTL answer from cachedb in the in-memory message
5209 cache when serve-expired is yes
5210 - Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
5213 - Fix #1400: allowing use of global cache on ECS-forwarding unless
5214 always-forward.
5217 - tag 1.6.6 (is 1.6.6rc2)
5218 - Fix that looping modules always stop the query, and don't pass
5220 - Fix #1435: Please allow UDP to be disabled separately upstream and
5222 - Fix #1440: [dnscrypt] client nonce cache.
5225 - Fix unbound-host to report error for DNSSEC state of failed lookups.
5226 - Spelling fixes, from Josh Soref.
5229 - tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
5232 - Add dns64 for client-subnet in unbound-checkconf.
5235 - Fix #1412: QNAME minimisation strict mode not honored
5236 - Fix #1434: Fix windows openssl 1.1.0 linking.
5239 - tag 1.6.6rc1
5240 - makedist fix for windows binaries, with openssl 1.1.0 windres fix,
5244 - Recommend 1472 buffer size in unbound.conf
5247 - Fix #1424: cachedb:testframe is not thread safe.
5248 - For #1417: escape ; in dnscrypt tests.
5249 - but reverted that, tests fails with that escape.
5250 - Fix #1417: [dnscrypt] shared secret cache counters, and works when
5252 - make depend
5253 - Fix #1418: [ip ratelimit] initialize slabhash using
5254 ip-ratelimit-slabs.
5257 - updated contrib/fastrpz.patch to apply with configparser changes.
5258 - Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
5261 - Fix #1414: fix segfault on parse failure and log_replies.
5262 - zero qinfo in handle_request, this zeroes local_alias and also the
5264 - new keys and certs for dnscrypt tests.
5265 - fixup WKS test on buildhost without servicebyname.
5268 - Fix #1415: patch to free dnscrypt environment on reload.
5269 - iana portlist update
5270 - Fix #1415: [dnscrypt] shared secret cache, patch from
5272 - Small fixes for the shared secret cache patch.
5273 - Fix WKS records on kvm autobuild host, with default protobyname
5277 - Fix #1407: Add ECS options check to unbound-checkconf.
5278 - make depend
5279 - Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
5283 - Fix install of trust anchor when two anchors are present, makes both
5287 - tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
5288 - trunk version 1.6.6 in development.
5289 - Fix issue on macOX 10.10 where TCP fast open is detected but not
5293 - Fix #1402: squelch invalid argument error for fd_set_block on windows.
5296 - Patch to show DNSCrypt status in help output, from Carsten
5300 - Fix #1398: make cachedb secret configurable.
5301 - Remove spaces from Makefile.
5304 - Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
5307 - Remove unused iter_env member (ip6arpa_dname)
5308 - Do not reset rrset.bogus stats when called using stats_noreset.
5309 - Added stats for queries that have been ratelimited by domain
5311 - Do not add rrset_bogus and query ratelimiting stats per thread, these
5315 - Fix #1394: mix of serve-expired and response-ip could cause a crash.
5318 - upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
5319 config.sub(2016-09-05).
5320 - annotate case statement fallthrough for gcc 7.1.1.
5321 - flex output from flex 2.6.1.
5322 - snprintf of thread number does not warn about truncated string.
5323 - squelch TCP fast open error on FreeBSD when kernel has it disabled,
5325 - remove warning from windows compile.
5326 - Fix compile with libnettle
5327 - Fix DSA configure switch (--disable dsa) for libnettle and libnss.
5328 - Fix #1365: Add Ed25519 support using libnettle.
5329 - iana portlist update
5332 - Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
5333 - Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
5334 With the -p option unbound does not create a pidfile.
5337 - Fix #1344: RFC6761-reserved domains: test. and invalid.
5338 - Redirect all localhost names to localhost address for RFC6761.
5341 - Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
5342 - Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
5345 - Fix 1332: Bump verbosity of failed chown'ing of the control socket.
5348 - Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
5350 - Fix #1331: libunbound segfault in threaded mode when context is
5352 - Fix pythonmod link line option flag.
5353 - Fix openssl 1.1.0 load of ssl error strings from ssl init.
5356 - Fix python example0 return module wait instead of error for pass.
5357 - iana portlist update
5358 - enhancement for hardened-tls for DNS over TLS. Removed duplicated
5362 - Tag 1.6.4 is created with the 1.6.4rc2 contents.
5363 - Trunk contains 1.6.5, with changes from 26, 27 june.
5364 - Remove signed unsigned warning from authzone.
5365 - Fix that infra cache host hash does not change after reconfig.
5368 - (for 1.6.5)
5370 - First fix for zero b64 and hex text zone format in sldns.
5371 - unbound-control dump_infra prints port number for address if not 53.
5374 - (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
5377 - Tag 1.6.4rc2
5380 - Added fastrpz patch to contrib
5383 - Fix #1316: heap read buffer overflow in parse_edns_options.
5386 - Fix warning in pythonmod under clang compiler.
5387 - Tag 1.6.4rc1
5388 - Fix lintian typo.
5391 - Fix #1277: disable domain ratelimit by setting value to 0.
5394 - Fix #1301: memory leak in respip and tests.
5395 - Free callback in edns-subnetmod on exit and restart.
5396 - Fix memory leak in sldns_buffer_new_frm_data.
5397 - Fix memory leak in dnscrypt config read.
5398 - Fix dnscrypt chacha cert support ifdefs.
5399 - Fix dnscrypt chacha cert unit test escapes in grep.
5400 - Remove asynclook tests that cause test and purifier problems.
5401 - Fix to unlock view in view test.
5404 - Fix stub zone queries leaking to the internet for
5405 harden-referral-path ns checks.
5406 - Fix query for refetch_glue of stub leaking to internet.
5409 - Fix #1279: Memory leak on reload when python module is enabled.
5410 - Fix #1280: Unbound fails assert when response from authoritative
5411 contains malformed qname. When 0x20 caps-for-id is enabled, when
5413 - 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
5414 - More fixes in depth for buffer checks in 0x20 qname checks.
5417 - Fix #1278: Incomplete wildcard proof.
5420 - Added domain name based ECS whitelist.
5423 - Detect chacha for dnscrypt at configure time.
5424 - dnscrypt unit tests with chacha.
5427 - Fix that unbound-control can set val_clean_additional and val_permissive_mode.
5428 - Add dnscrypt XChaCha20 tests.
5431 - Add an explicit type cast for TCP FASTOPEN fix.
5432 - renumbering B-Root's IPv6 address to 2001:500:200::b.
5433 - Fix #1275: cached data in cachedb is never used.
5434 - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
5437 - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
5441 - Fix fastopen EPIPE fallthrough to perform connect.
5444 - Also use global local-zones when there is a matching view that does
5445 not have any local-zone specified.
5448 - Fix #1273: cachedb.c doesn't compile with -Wextra.
5449 - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
5452 - Fix #1269: inconsistent use of built-in local zones with views.
5453 - Add defaults for new local-zone trees added to views using
5454 unbound-control.
5457 - Support for openssl EVP_DigestVerify.
5458 - Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
5461 - Fix assertion for low buffer size and big edns payload when worker
5465 - Added redirect-bogus.patch to contrib directory.
5468 - Fix #1270: unitauth.c doesn't compile with higher warning level
5470 - exec_prefix is by default equal to prefix.
5471 - printout localzone for duplicate local-zone warnings.
5474 - authzone cname chain, no rrset duplicates, wildcard doesn't change
5478 - first services/authzone check in, it compiles and reads and writes
5480 - iana portlist update
5483 - Fix #1268: SIGSEGV after log_reopen.
5486 - Fix #1265 to use /bin/kill.
5487 - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
5491 - Fix #1265: contrib/unbound.service contains hardcoded path.
5494 - Use qstate's region for IPSECKEY rrset (ipsecmod).
5497 - Implemented opportunistic IPsec support module (ipsecmod).
5498 - Some whitespace fixup.
5501 - updated dependencies in the makefile.
5502 - document trust-anchor-signaling in example config file.
5503 - updated configure, dependencies and flex output.
5504 - better module memory lookup, fix of unbound-control shm names for
5506 - Fix type AVC sldns rrdef.
5509 - Adjust servfail by iterator to not store in cache when serve-expired
5511 - Fix queries for nameservers under a stub leaking to the internet.
5514 - Add 'c' to getopt() in testbound.
5515 - iana portlist update
5518 - Fix tcp-mss failure printout text.
5519 - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
5524 - Added mesh_add_sub to add detached mesh entries.
5525 - Use mesh_add_sub for key tag signaling query.
5528 - Added test for leak of stub information.
5529 - Fix sldns wire2str printout of RR type CAA tags.
5530 - Fix sldns int16_data parse.
5531 - Fix sldns parse and printout of TSIG RRs.
5532 - sldns SMIMEA and AVC definitions, same as getdns definitions.
5535 - Fix #1259: "--disable-ecdsa" argument overwritten
5537 - iana portlist update
5538 - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
5542 - Implemented trust anchor signaling using key tag query.
5545 - Based on #1257: check parse limit before t increment in sldns RR
5549 - unbound-checkconf -o allows query of dnstap config variables.
5550 Also unbound-control get_option. Also for dnscrypt.
5551 - trunk contains 1.6.3 version number (changes from 1.6.2 back from
5555 - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
5556 - iana portlist update
5559 - Fix #1252: more indentation inconsistencies.
5560 - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
5563 - Added ECS unit test (from Manu Bretelle).
5564 - ECS documentation fix (from Manu Bretelle).
5567 - Fix #1250: inconsistent indentation in services/listen_dnsport.c.
5568 - tag for 1.6.2rc1
5569 - (for 1.6.3:) unbound.h exports the shm stats structures. They use
5573 - subnet mem value is available in shm, also when not enabled,
5578 - Fix #1247: unbound does not shorten source prefix length when
5580 - Properly check for allocation failure in local_data_find_tag_datas.
5581 - Fix #1249: unbound doesn't return FORMERR to bogus ECS.
5582 - Set SHM ECS memory usage to 0 when module not loaded.
5585 - Display ECS module memory usage.
5588 - harden-algo-downgrade: no also makes unbound more lenient about
5592 - Remove ECS option after REFUSED answer.
5593 - Fix small memory leak in edns_opt_copy_alloc.
5594 - Respip dereference after NULL check.
5595 - Zero initialize addrtree allocation.
5596 - Use correct identifier for SHM destroy.
5599 - Fix pythonmod for cb changes.
5600 - Some whitespace fixup.
5603 - Unlock view in respip unit test
5606 - Generalise inplace callback (de)registration
5607 - (de)register inplace callbacks for module id
5608 - No unbound-control set_option for ECS options
5609 - Deprecated client-subnet-opcode config option
5610 - Introduced client-subnet-always-forward config option
5611 - Changed max-client-subnet-ipv6 default to 56 (as in RFC)
5612 - Removed extern ECS config options
5613 - module_restart_next now calls clear on all following modules
5614 - Also create ECS module qstate on module_event_pass event
5615 - remove malloc from inplace_cb_register
5618 - Small fixup for documentation.
5619 - iana portlist update
5620 - Fix respip for braces when locks arent used.
5621 - Fix pythonmod for cb changes.
5624 - Fix #1244: document that use of chroot requires trust anchor file to
5626 - iana portlist update
5629 - Do not add current time twice to TTL before ECS cache store.
5630 - Do not touch rrset cache after ECS cache message generation.
5631 - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
5634 - Fix #1217: Add metrics to unbound-control interface showing
5637 - iana portlist update
5640 - Remove (now unused) event2 include from dnscrypt code.
5643 - Fix to prevent non-referal query from being cached as referal when the
5647 - Fix #1239: configure fails to find python distutils if python
5651 - Fix #1238: segmentation fault when adding through the remote
5652 interface a per-view local zone to a view with no previous
5654 - Fix #1229: Systemd service sandboxing, options in wrong sections.
5657 - Merge EDNS Client subnet implementation from feature branch into main
5661 - Fix doxygen for dnscrypt files.
5664 - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
5666 - make depend, autoconf, remove warnings about statement before var.
5667 - lru_demote and lruhash_insert_or_retrieve functions for getdns.
5668 - fixup for lruhash (whitespace and header file comment).
5669 - dnscrypt tests.
5672 - Patch for view functionality for local-data-ptr from Björn Ketelaars.
5673 - Fix #1237 - Wrong resolving in chain, for norec queries that get
5677 - Fix that SHM is not inited if not enabled.
5678 - Add trustanchor.unbound CH TXT that gets a response with a number
5681 - Fix that looped DNAMEs do not cause unbound to spend effort.
5682 - trustanchor tags are sorted. reusable routine to fetch taglist.
5685 - testbound understands Deckard MATCH rcode question answer commands.
5686 - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
5690 - Fix #1234: shortening DNAME loop produces duplicate DNAME records
5694 - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
5696 - fake-sha1 test option; print warning if used. To make unit tests.
5697 - unbound-control list local zone and data commands listed in the
5701 - make depend for build dependencies.
5702 - swig version 2.0.1 required.
5703 - fix enum conversion warnings
5706 - Fix #1230: swig version 2.0.0 is required for pythonmod, with
5707 1.3.40 it crashes when running repeatly unbound-control reload.
5708 - Response actions based on IP address from Jinmei Tatuya (Infoblox).
5711 - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
5712 - iana portlist update
5715 - Fix testpkts.c, check if DO bit is set, not only if there is an OPT
5719 - For #1227: if we have sha256, set the cipher list to have no
5723 - Fix #1227: Fix that Unbound control allows weak ciphersuits.
5724 - Fix #1226: provide official 32bit binary for windows.
5727 - include sys/time.h for new shm code on NetBSD.
5730 - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
5732 - Patch from Luiz Fernando Softov for Stats Shared Memory.
5733 - unbound-control stats_shm command prints stats using shared memory,
5735 - make depend, autoconf, doxygen and lint fixed up.
5738 - Fix #1224: Fix that defaults should not fall back to "Program Files
5742 - iana portlist update
5745 - sldns updated for vfixed and buffer resize indication from getdns.
5748 - sldns has ED25519 and ED448 algorithm number and name for display.
5751 - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
5754 - Fix autoconf of systemd check for lack of pkg-config.
5757 - Fix pythonmod for typedef changes.
5758 - Fix dnstap for warning of set but not used.
5759 - tag 1.6.1rc2.
5762 - tag 1.6.1rc1.
5765 - Fix for type name change and fix warning on windows compile.
5768 - Include root trust anchor id 20326 in unbound-anchor.
5771 - Fix compile on solaris of the fix to use $host detect.
5774 - fix root_anchor test for updated icannbundle.pem lower certificates.
5777 - Fix 1211: Fix can't enable interface-automatic if no IPv6 with
5781 - Increase MAX_MODULE to 16.
5784 - Fix to Rename ub_callback_t to ub_callback_type, because POSIX
5786 - Fix to rename internally used types from _t to _type, because _t
5788 - iana portlist update
5791 - Fix to also block meta types 128 through to 248 with formerr.
5792 - Fix #1206: Some view-related commands are missing from 'unbound-control -h'
5795 - Fix #1202: Fix code comment that packed_rrset_data is not always
5799 - Fix #1201: Fix missing unlock in answer_from_cache error condition.
5802 - Fix to return formerr for queries for meta-types, to avoid
5803 packet amplification if this meta-type is sent on to upstream.
5804 - Fix #1184: Log DNS replies. This includes the same logging
5807 - Fix #1187: Source IP rate limiting, patch from Larissa Feng.
5810 - configure --enable-systemd and lets unbound use systemd sockets if
5811 you enable use-systemd: yes in unbound.conf.
5815 - Fix reload chdir failure when also chrooted to that directory.
5818 - Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
5821 - Fix #1190: Do not echo back EDNS options in local-zone error response.
5822 - iana portlist update
5825 - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
5829 - Fix #1191: remove comment about view deletion.
5832 - iana portlist update
5833 - 64bit is default for windows builds.
5834 - Fix inet_ntop and inet_pton warnings in windows compile.
5837 - Fix #1178: attempt to fix setup error at end, pop result values
5841 - Fix #1182: Fix Resource leak (socket), at startup.
5842 - Fix unbound-control and ipv6 only.
5845 - Fix #1176: stack size too small for Alpine Linux.
5848 - Fix downcast warnings from visual studio in sldns code.
5849 - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
5852 - Add DSA support for OpenSSL 1.1.0
5853 - Fix remote control without cert for LibreSSL
5856 - Added generic EDNS code for registering known EDNS option codes,
5860 - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
5862 - Added code for registering inplace callback functions. The registered
5868 - Updated Python module for the above.
5869 - Updated Python documentation.
5872 - Fix #1173: differ local-zone type deny from unset
5876 - Fix #1170: document that 'inform' local-zone uses local-data.
5879 - hyphen as minus fix, by Andreas Schulze
5882 - Added local-zones and local-data bulk addition and removal
5883 functionality in unbound-control (local_zones, local_zones_remove,
5885 - iana portlist update
5888 - version 1.6.0 is in the development branch.
5889 - braces in view.c around lock statements.
5892 - new install-sh.
5895 - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
5899 - Make access-control-tag-data RDATA absolute. This makes the RDATA
5900 origin consistent between local-data and access-control-tag-data.
5901 - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
5903 - QNAME minimisation uses QTYPE=A, therefore always check cache for
5904 this type in harden-below-nxdomain functionality.
5905 - Added unit test for QNAME minimisation + harden below nxdomain
5909 - iana portlist update.
5910 - Fix unit tests for DS hash processing for fake-dsa test option.
5911 - patch from Dag-Erling Smorgrav that removes code that relies
5915 - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
5916 Underneath" for the harden-below-nxdomain option.
5919 - Fix #1155: test status code of unbound-control in 04-checkconf,
5923 - Added stub-ssl-upstream and forward-ssl-upstream options.
5926 - configure detects ssl security level API function in the autoconf
5929 - Fix #1154: segfault when reading config with duplicate zones.
5930 - Note that for harden-below-nxdomain the nxdomain must be secure,
5934 - Set OpenSSL security level to 0 when using aNULL ciphers.
5937 - .gitattributes line for githubs code language display.
5938 - log-identity: config option to set sys log identity, patch from
5942 - iana portlist update.
5945 - Fix failure to build on arm64 with no sbrk.
5946 - iana portlist update.
5949 - Patch for server.num.zero_ttl stats for count of expired replies,
5953 - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
5954 with the undocumented switch 'fake-dsa'. It logs a warning.
5957 - Fix #1134: unbound-control set_option -- val-override-date: -1 works
5959 The -- is to ignore the '-1' as an option flag.
5962 - serve-expired config option: serve expired responses with TTL 0.
5963 - g.root-servers.net has AAAA address.
5966 - Ported tests for local_cname unit test to testbound framework.
5969 - suppress compile warning in lex files.
5970 - init lzt variable, for older gcc compiler warnings.
5971 - fix --enable-dsa to work, instead of copying ecdsa enable.
5972 - Fix DNSSEC validation of query type ANY with DNAME answers.
5973 - Fixup query_info local_alias init.
5976 - Fix #1130: whitespace in example.conf.in more consistent.
5979 - Patch that resolves CNAMEs entered in local-data conf statements that
5981 - Removed patch comments from acllist.c and msgencode.c
5982 - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
5984 - Fix #1125: unbound could reuse an answer packet incorrectly for
5986 - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
5987 - Added Requires line to libunbound.pc
5988 - Please doxygen by modifying mesh.h
5991 - Re-fix #839 from view commit overwrite.
5992 - Fixup const void cast warning.
5995 - Free view config elements.
5998 - Added qname-minimisation-strict config option.
5999 - iana portlist update.
6000 - fix memoryleak logfile when in debug mode.
6003 - Added views functionality.
6004 - Fix #1117: spelling errors, from Robert Edmonds.
6007 - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
6010 - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
6011 - Fix #839: Memory grows unexpectedly with large RPZ files.
6012 - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
6013 - Fix #841: big local-zone's make it consume large amounts of memory.
6016 - tag for 1.5.10 release
6017 - trunk contains 1.5.11 in development.
6018 - Fix dnstap relaying "random" messages instead of resolver/forwarder
6020 - Fix #836: unbound could echo back EDNS options in an error response.
6023 - iana portlist update.
6024 - Fix #835: fix --disable-dsa with nettle verify.
6025 - tag for 1.5.10rc1 release.
6028 - Fix 883: error for duplicate local zone entry.
6029 - Test for openssl init_crypto and init_ssl functions.
6032 - fix potential memory leak in daemon/remote.c and nullpointer
6034 - iana portlist update.
6037 - Silenced flex-generated sign-unsigned warning print with gcc
6039 - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
6042 - Fix #831: workaround for spurious fread_chk warning against petal.c
6045 - Take configured minimum TTL into consideration when reducing TTL
6049 - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
6050 off-by-one typo, from Jinmei Tatuya (Infoblox).
6051 - Fix incomplete prototypes reported by Dag-Erling Smørgrav.
6052 - Fix #828: missing type in access-control-tag-action redirect results
6056 - Fix compile with openssl 1.1.0 with api=1.1.0.
6059 - RFC 7958 is now out, updated docs for unbound-anchor.
6060 - Fix for compile without warnings with openssl 1.1.0.
6061 - Fix #826: Fix refuse_non_local could result in a broken response.
6062 - iana portlist update.
6065 - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
6067 - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
6070 - Clarify local-zone-override entry in unbound.conf.5
6073 - 64bit build option for makedist windows compile, -w64.
6076 - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
6078 - unbound.conf.5 entries for define-tag, access-control-tag,
6079 access-control-tag-action, access-control-tag-data, local-zone-tag,
6080 and local-zone-override.
6083 - Fix #804: unbound stops responding after outage. Fixes queries
6085 - Fix #804: lower num_target_queries for iterator also for failed
6089 - Note that OPENPGPKEY type is RFC 7929.
6092 - Fix #807: workaround for possible some "unused" function parameters
6096 - use sendmsg instead of sendto for TFO.
6099 - Fix #806: wrong comment removed.
6102 - nicer ratelimit-below-domain explanation.
6105 - Fix #801: missing error condition handling in
6107 - Fix #802: workaround for function parameters that are "unused"
6109 - Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
6112 - Fix typo in unbound.conf.
6115 - Fix #798: Client-side TCP fast open fails (Linux).
6118 - TCP Fast open patch from Sara Dickinson.
6119 - Fixed unbound.doxygen for 1.8.11.
6122 - access-control-tag-data implemented. verbose(4) prints tag debug.
6125 - Fix dynamic link of anchor-update.exe on windows.
6126 - Fix detect of mingw for MXE package build.
6127 - Fixes for 64bit windows compile.
6128 - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
6129 --with-libunbound-only --with-nettle.
6132 - For #787: prefer-ip6 option for unbound.conf prefers to send
6134 - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
6139 - Document always_transparent, always_refuse, always_nxdomain types.
6142 - Fix static compile on windows missing gdi32.
6145 - Create a pkg-config file for libunbound in contrib.
6148 - Fix #784: Build configure assumess that having getpwnam means there
6150 - Updated repository with newer flex and bison output.
6153 - Possibility to specify local-zone type for an acl/tag pair
6154 - Possibility to specify (override) local-zone type for a source address
6157 - Decrease dp attempts at each QNAME minimisation iteration
6160 - Fix tcp timeouts in tv.usec.
6163 - TCP_TIMEOUT is specified in milliseconds.
6164 - If more than half of tcp connections are in use, a shorter timeout
6168 - QNAME minimisation unit test for dropped QTYPE=A queries.
6171 - Fix 775: unbound-host and unbound-anchor crash on windows, ignore
6173 - Fix spelling in freebind option man page text.
6174 - Fix windows link of ssl with crypt32.
6175 - Fix 779: Union casting is non-portable.
6176 - Fix 780: MAP_ANON not defined in HP-UX 11.31.
6177 - Fix 781: prealloc() is an HP-UX system library call.
6180 - Use QTYPE=A for QNAME minimisation.
6181 - Keep track of number of time-outs when performing QNAME minimisation.
6182 Stop minimising when number of time-outs for a QNAME/QTYPE pair is
6186 - Fix #778: unbound 1.5.9: -h segfault (null deref).
6187 - Fix directory: fix for unbound-checkconf, it restores cwd.
6190 - And delete service.conf.shipped on uninstall.
6191 - In unbound.conf directory: dir immediately changes to that directory,
6194 - keep debug symbols in windows build.
6195 - do not delete service.conf on windows uninstall.
6196 - document directory immediate fix and allow EXECUTABLE syntax in it
6200 - Trunk is called 1.5.10 (with previous fixes already in there to 2
6202 - Revert fix for NetworkService account on windows due to breakage
6204 - Fix that windows install will not overwrite existing service.conf
6208 - Lookup localzones by taglist from acl.
6209 - Possibility to lookup local_zone, regardless the taglist.
6210 - Added local_zone/taglist/acl unit test.
6213 - Fix #773: Non-standard Python location build failure with pyunbound.
6214 - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
6217 - Better help text from -h (from Ray Griffith).
6218 - access-control-tag config directive.
6219 - local-zone-override config directive.
6220 - access-control-tag-action and access-control-tag-data config
6222 - free acl-tags, acltag-action and acltag-data config lists during
6226 - Fix to not ignore return value of chown() in daemon startup.
6229 - Fix libubound for edns optlist feature.
6230 - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
6231 - Fix #752: retry resource temporarily unavailable on control pipe.
6232 - un-document localzone tags.
6233 - tag for release 1.5.9rc1.
6235 - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
6237 - re-documented localzone tags in example.conf.
6240 - Fix windows service to be created run with limited rights, as a
6242 - compat strsep implementation.
6243 - generic edns option parse and store code.
6244 - and also generic edns options for upstream messages (and replies).
6250 - Fix time in case answer comes from cache in ub_resolve_event().
6251 - Attempted fix for #765: _unboundmodule missing for python3.
6254 - Fix #770: Small subgroup attack on DH used in unix pipe on localhost
6256 - Document write permission to directory of trust anchor needed.
6257 - Fix #768: Unbound Service Sometimes Can Not Shutdown
6261 - Updated patch from Charles Walker.
6264 - disable-dnssec-lame-check config option from Charles Walker.
6265 - remove memory leak from lame-check patch.
6266 - iana portlist update.
6269 - Fix #767: Reference to an expired Internet-Draft in
6270 harden-below-nxdomain documentation.
6273 - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
6275 - iana portlist update.
6278 - Fix #766: dns64 should synthesize results on timeout/errors.
6281 - Fix #761: DNSSEC LAME false positive resolving nic.club.
6284 - trunk updated with output of flex 2.6.0.
6287 - Fix memory leak in out-of-memory conditions of local zone add.
6290 - Fix sldns with static checking fixes copied from getdns.
6293 - Fix #759: 0x20 capsforid no longer checks type PTR, for
6297 - Fix some malformed responses to edns queries get fallback to nonedns.
6300 - cachedb module event handling design.
6303 - cachedb module framework (empty).
6304 - iana portlist update.
6307 - Fix #753: document dump_requestlist is for first thread.
6310 - Document permit-small-holddown for 5011 debug.
6311 - Fix #749: unbound-checkconf gets SIGSEGV when use against a
6315 - OpenSSL 1.1.0 portability, --disable-dsa configure option.
6318 - Fix compile of getentropy_linux for SLES11 servicepack 4.
6319 - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
6320 - Fix test for openssl to use HMAC_Update for 1.1.0.
6321 - acx_nlnetlabs.m4 to v33, with HMAC_Update.
6322 - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
6323 - ERR_remove_state deprecated since openssl 1.0.0.
6324 - OPENSSL_config is deprecated, removing.
6327 - Validate QNAME minimised NXDOMAIN responses.
6328 - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
6329 harden-below-nxdomain.
6332 - Limit number of QNAME minimisation iterations.
6335 - Fix #746: Fix unbound sets CD bit on all forwards.
6339 - iana portlist update.
6342 - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
6343 - Fix ip-transparent for tcp on freebsd.
6346 - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
6350 - Fix warnings in ifdef corner case, older or unknown libevent.
6351 - Fix compile for ub_event code with older libev.
6354 - Remove warning about unused parameter in event_pluggable.c.
6355 - Fix libev usage of dispatch return value.
6356 - No side effects in tolower() call, in case it is a macro.
6357 - For test put free in pluggable api in parenthesis.
6360 - Fixup backend2str for libev.
6363 - User defined pluggable event API for libunbound
6364 - Fixup of compile fix for pluggable event API from P.Y. Adi
6368 - Updated configure and ltmain.sh.
6369 - Updated L root IPv6 address.
6372 - Fix #747: assert in outnet_serviced_query_stop.
6373 - iana ports fetched via https.
6374 - iana portlist update.
6377 - configure tests for the weak attribute support by the compiler.
6380 - 1.5.8 release tag
6381 - trunk contains 1.5.9 in development.
6382 - iana portlist update.
6383 - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
6387 - Fix OpenBSD asynclook lock free that gets used later (fix test code).
6388 - Fix that NSEC3 negative cache is used when there is no salt.
6391 - ub_ctx_set_stub() function for libunbound to config stub zones.
6392 - sorted ubsyms.def file with exported libunbound functions.
6395 - Print understandable debug log when unusable DS record is seen.
6396 - load gost algorithm if digest is seen before key algorithm.
6397 - iana portlist update.
6400 - Fix that "make install" fails due to "text file busy" error.
6403 - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
6406 - ip-transparent option for FreeBSD with IP_BINDANY socket option.
6407 - wait for sendto to drain socket buffers when they are full.
6410 - Test for type OPENPGPKEY.
6411 - insecure-lan-zones: yesno config option, patch from Dag-Erling
6415 - Fix patch typo in prevuous commit for 734 from Adi Prasaja.
6416 - RR Type CSYNC support RFC 7477, in debug printout and config input.
6417 - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
6420 - Neater cmdline_verbose increment patch from Edgar Pettijohn.
6423 - Made netbsd sendmsg test nonfatal, in case of false positives.
6424 - Fix #741: log message for dnstap socket connection is more clear.
6427 - Fix #734: chown the pidfile if it resides inside the chroot.
6428 - Use arc4random instead of random in tests (because it is
6430 - Fix cmsg alignment for argument to sendmsg on NetBSD.
6431 - Fix that unbound complains about unimplemented IP_PKTINFO for
6432 sendmsg on NetBSD (for interface-automatic).
6435 - Fix #738: Swig should not be invoked with CPPFLAGS.
6438 - Squelch 'cannot assign requested address' log messages unless
6442 - Fix to simplify empty string checking from Michael McConville.
6443 - iana portlist update.
6446 - Fix #734: Do not log an error when the PID file cannot be chown'ed.
6450 - Fix test if -pthreads unused to use better grep for portability.
6453 - Fix mingw crosscompile for recent mingw.
6454 - Update aclocal, autoconf output with new versions (1.15, 2.4.6).
6457 - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
6459 - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
6463 - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
6465 - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
6470 - Fix #729: omit use of escape sequences in echo since they are not
6471 portable (unbound-control-setup).
6474 - remove NULL-checks before free, patch from Michael McConville.
6475 - updated ax_pthread.m4 to version 21 with clang support, this
6477 - OSX portability, detect if sbrk is deprecated.
6478 - OSX clang, stop -pthread unused during link stage warnings.
6479 - OSX clang new flto check.
6482 - 1.5.7 release
6483 - trunk has 1.5.8 in development.
6486 - Fixup 724 for unbound-control.
6489 - Do not minimise forwarded requests.
6492 - Removed unneeded whitespace from example.conf.
6495 - (after rc1 tag)
6496 - Committed fix to qname minimisation and unit test case for it.
6499 - iana portlist update.
6500 - 1.5.7rc1 prerelease tag.
6503 - Fixup 724: Fix PCA prompt for unbound-service-install.exe.
6504 re-enable stdout printout.
6505 - For 724: Add Changelog to windows binary dist.
6508 - Qname minimisation review fixes
6511 - Fixup 724 fix for fname_after_chroot() calls.
6512 - Remove stdout printout for unbound-service-install.exe
6513 - .gitignore for git users.
6516 - Implemented qname minimisation
6519 - Fix for #724: conf syntax to read files from run dir (on Windows).
6522 - Fix for #720, fix unbound-control-setup windows batch file.
6525 - Fix #720: add windows scripts to zip bundle.
6526 - iana portlist update.
6529 - Added assert on rrset cache correctness.
6530 - Fix that malformed EDNS query gets a response without malformed EDNS.
6533 - newer acx_nlnetlabs.m4.
6534 - spelling fixes from Igor Sobrado Delgado.
6537 - Fix #594. libunbound: optionally use libnettle for crypto.
6538 Contributed by Luca Bruno. Added --with-nettle for use with
6539 --with-libunbound-only.
6540 - refactor nsec3 hash implementation to be more library-portable.
6541 - iana portlist update.
6542 - Fixup DER encoded DSA signatures for libnettle.
6545 - Fix for lenient accept of reverse order DNAME and CNAME.
6548 - Change example.conf: ftp.internic.net to https://www.internic.net
6551 - ACX_SSL_CHECKS no longer adds -ldl needlessly.
6554 - Fix #718: Fix unbound-control-setup with support for env
6558 - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
6559 - Fix #716: nodata proof with empty non-terminals and wildcards.
6562 - Fix checklock testcode for linux threads on exit.
6565 - isblank() compat implementation.
6566 - detect libexpat without xml_StopParser function.
6567 - portability fixes.
6568 - portability, replace snprintf if return value broken.
6571 - Fix #714: Document config to block private-address for IPv4
6575 - Fix #712: unbound-anchor appears to not fsync root.key.
6578 - 1.5.6 release.
6579 - trunk tracks development of 1.5.7.
6582 - Fix segfault in the dns64 module in the formaterror error path.
6583 - Fix sldns_wire2str_rdata_scan for malformed RRs.
6584 - tag for 1.5.6rc1 release.
6587 - ANY responses include DNAME records if present, as per Evan Hunt's
6589 - Fix manpage to suggest using SIGTERM to terminate the server.
6592 - Default for ssl-port is port 853, the temporary port assignment
6597 - iana portlist update.
6600 - 1.5.5 release.
6601 - trunk tracks the development of 1.5.6.
6604 - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
6606 - tag for 1.5.5rc1 release.
6607 - makedist.sh: pgp sig echo commands.
6610 - Fix unbound-control flush that does not succeed in removing data.
6613 - Fix config globbed include chroot treatment, this fixes reload of
6614 globs (patch from Dag-Erling Smørgrav).
6615 - iana portlist update.
6616 - Fix #702: New IPs for for h.root-servers.net.
6617 - Remove confusion comment from canonical_compare() function.
6618 - Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
6619 - testbound selftest also works in non-debug mode.
6620 - Fix minor error in unbound.conf.5.in
6621 - Fix unbound.conf(5) access-control description for precedence
6625 - changed windows setup compression to be more transparent.
6628 - Fix #697: Get PY_MAJOR_VERSION failure at configure for python
6630 - Feature #699: --enable-pie option to that builds PIE binary.
6631 - Feature #700: --enable-relro-now option that enables full read-only
6635 - Fix deadlock for local data add and zone add when unbound-control
6637 - iana portlist update.
6638 - Change default of harden-algo-downgrade to off. This is lenient
6642 - 5011 implementation does not insist on all algorithms, when
6643 harden-algo-downgrade is turned off.
6644 - Reap the child process that libunbound spawns.
6647 - Fix #694: configure script does not detect LibreSSL 2.2.2
6650 - Document that local-zone nodefault matches exactly and transparent
6654 - Document in the manual more text about configuring locally served
6656 - Fix 5011 anchor update timer after reload.
6657 - Fix mktime in unbound-anchor not using UTC.
6660 - please afl-gcc (llvm) for uninitialised variable warning.
6661 - Added permit-small-holddown config to debug fast 5011 rollover.
6664 - Fix #690: Reload fails when so-reuseport is yes after changing
6665 num-threads.
6666 - iana portlist update.
6669 - Fix configure to detect SSL_CTX_set_ecdh_auto.
6670 - iana portlist update.
6673 - Enable ECDHE for servers. Where available, use
6674 SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
6680 - Allow certificate chain files to allow for intermediate certificates.
6684 - makedist produces sha1 and sha256 files for created binaries too.
6687 - 1.5.4 release tag
6688 - trunk has 1.5.5 in development.
6689 - Fix #681: Setting forwarders with unbound-control forward
6690 implicitly turns on forward-first.
6693 - iana portlist update.
6694 - Fix alloc with log for allocation size checks.
6697 - Fix #677 Fix DNAME responses from cache that failed internal chain
6699 - iana portlist update.
6702 - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
6706 - RFC 7553 RR type URI support, is now enabled by default.
6709 - Fix #674: Do not free pointers given by getenv.
6712 - Fix that unparseable error responses are ratelimited.
6713 - SOA negative TTL is capped at minimumttl in its rdata section.
6714 - cache-max-negative-ttl config option, default 3600.
6717 - Document that ratelimit works with unbound-control set_option.
6720 - iana portlist update.
6721 - documentation proposes ratelimit of 1000 (closer to what upstream
6725 - DLV is going to be decommissioned. Advice to stop using it, and
6729 - Change syntax of particular validator error to be easier for
6735 - caps-whitelist in unbound.conf allows whitelist of loadbalancers
6736 that cannot work with caps-for-id or its fallback.
6739 - Unit test for type ANY synthesis.
6742 - Removed contrib/unbound_unixsock.diff, because it has been
6743 integrated, use control-interface: /path in unbound.conf.
6744 - iana portlist update.
6747 - Synthesize ANY responses from cache. Does not search exhaustively,
6749 - Fix leaked dns64prefix configuration string.
6752 - Add local-zone type inform_deny, that logs query and drops answer.
6753 - Ratelimit does not apply to prefetched queries, and ratelimit-factor
6756 - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
6759 libunbound-Python: libldns is not used anymore.
6763 - unbound-control ratelimit_list lists high rate domains.
6764 - ratelimit feature, ratelimit: 100, or some sensible qps, can be
6767 - Fix that get_option for cache-sizes does not print double newline.
6768 - Fix#663: ssl handshake fails when using unix socket because dh size
6772 - Fix crash in dnstap: Do not try to log TCP responses after timeout.
6775 - Libunbound skips dos-line-endings from etc/hosts.
6776 - Unbound exits with a fatal error when the auto-trust-anchor-file
6778 load a readonly auto-trust-anchor-file with trust-anchor-file.
6782 - unbound-control list_insecure command shows the negative trust
6786 - Fix #660: Fix interface-automatic broken in the presence of
6790 - remote.c probedelay line is easier to read.
6791 - rename ldns subdirectory to sldns to avoid name collision.
6794 - Fix #657: libunbound(3) recommends deprecated
6796 - If unknown trust anchor algorithm, and libressl is used, error
6800 - Fix segfault on user not found at startup (from Maciej Soltysiak).
6803 - Fixed to add integer overflow checks on allocation (defense in depth).
6806 - Add ip-transparent config option for bind to non-local addresses.
6809 - Use reallocarray for integer overflow protection, patch submitted
6813 - Fixup compile on cygwin, more portable openssl thread id.
6816 - Updated default keylength in unbound-control-setup to 3k.
6819 - Fix lintian warning in unbound-checkconf man page (from Andreas
6821 - print svnroot when building windows dist.
6822 - iana portlist update.
6823 - Fix warning on sign compare in getentropy_linux.
6826 - Fix #644: harden-algo-downgrade option, if turned off, fixes the
6829 - iana portlist update.
6832 - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
6834 - Document that incoming-num-tcp increase is good for large servers.
6835 - stats reports tcp usage, of incoming-num-tcp buffers.
6838 - Patch from Brad Smith that syncs compat/getentropy_linux with
6839 OpenBSD's version (2015-03-04).
6840 - 0x20 fallback improved: servfail responses do not count as missing
6843 many nameservers does not try to compare more than max-sent-count,
6845 - store caps_response with best response in case downgrade response
6847 - Document windows 8 tests.
6850 - tag 1.5.3rc1
6854 - iana portlist update.
6857 - Use the getrandom syscall introduced in Linux 3.17 (from Heiner
6859 - Fix #645 Portability to Solaris 10, use AF_LOCAL.
6860 - Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
6861 - Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
6865 - 1.5.2 release tag.
6866 - svn trunk contains 1.5.3 under development.
6869 - Fix #643: doc/example.conf.in: unnecessary whitespace.
6872 - tag 1.5.2rc1
6875 - iana portlist update.
6878 - Fix scrubber with harden-glue turned off to reject NS (and other
6879 not-address) records.
6882 - Fix validation failure in case upstream forwarder (ISC BIND) does
6887 - infra-cache-min-rtt patch from Florian Riehm, for expected long
6891 - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
6893 - Portability fix for Solaris ('sun' is not usable for a variable).
6896 - Fix pyunbound byte string representation for python3.
6899 - Fix unintended use of gcc extension for incomplete enum types,
6903 - windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
6906 - unit test for local unix connection. Documentation and log_addr
6908 - unbound-checkconf -f prints chroot with pidfile path.
6911 - iana portlist update.
6914 - Cast sun_len sizeof to socklen_t.
6915 - Fix pyunbound ord call, portable for python 2 and 3.
6918 - Fix warnings in pythonmod changes.
6921 - iana portlist update.
6922 - patch for remote control over local sockets, from Dag-Erling
6923 Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
6924 control-use-cert: no.
6925 - Fixup that patch and uid lookup (only for daemon).
6926 - coded the default of control-use-cert, to yes.
6929 - getauxval test for ppc64 linux compatibility.
6930 - make strip works for unbound-host and unbound-anchor.
6931 - patch from Stephane Lapie that adds to the python API, that
6933 - print query name when max target count is exceeded.
6934 - patch from Stuart Henderson that fixes DESTDIR in
6935 unbound-control-setup for installs where config is not in
6937 - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
6939 - Updated contrib warmup.cmd/sh to support two modes - load
6940 from pre-defined list of domains or (with filename as argument)
6941 load from user-specified list of domains, and updated contrib
6945 - Patch from Philip Paeps to contrib/unbound_munin_ that uses
6950 - svn trunk has 1.5.2 in development.
6951 - config.guess and config.sub update from libtoolize.
6952 - local-zone: example.com inform makes unbound log a message with
6956 - Fix CVE-2014-8602: denial of service by making resolver chase
6960 - Fix bug#632: unbound fails to build on AArch64, protects
6964 - Add include to getentropy_linux.c, hopefully fixing debian build.
6967 - Fix makefile for build from noexec source tree.
6970 - Fix libunbound undefined symbol errors for main.
6974 - Fix log at high verbosity and memory allocation failure.
6975 - iana portlist update.
6978 - Fix crash on multiple thread random usage on systems without
6982 - fix compat/getentropy_win.c check if CryptGenRandom works and no
6986 - Fix cdflag dns64 processing.
6989 - Fix that CD flag disables DNS64 processing, returning the DNSSEC
6991 - iana portlist update.
6994 - Fix #627: SSL_CTX_load_verify_locations return code not properly
6998 - parser with bison 2.7
7001 - Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
7002 added to contrib/aaaa-filter-iterator.patch.
7005 - trunk has 1.5.1 in development.
7006 - Patch from Robert Edmonds to build pyunbound python module
7007 differently. No versioninfo, with -shared and without $(LIBS).
7008 - Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
7009 - Removed 'increased limit open files' log message that is written
7012 - Patch from James Raftery, always print stats for rcodes 0..5.
7015 - iana portlist update.
7016 - Fix bug where forward or stub addresses with same address but
7018 - version number in svn trunk is 1.5.0
7019 - tag 1.5.0rc1
7020 - review fix from Ralph.
7023 - dnstap fixes by Robert Edmonds:
7025 dnstap/: Remove compiled protoc-c output files
7028 protobuf-c 1.0.0
7032 - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
7034 - Redefine internal minievent symbols to unique symbols that helps
7038 - Disabled use of SSLv3 in remote-control and ssl-upstream.
7039 - iana portlist update.
7042 - Documented dns64 configuration in unbound.conf man page.
7045 - Fix #617: in ldns in unbound, lowercase WKS services.
7046 - Fix ctype invocation casts.
7049 - Fix unbound-checkconf check for module config with dns64 module.
7050 - Fix unbound capsforid fallback, it ignores TTLs in comparison.
7053 - Fix #614: man page variable substitution bug.
7055 - Whitespaces after $ORIGIN are not part of the origin dname (ldns).
7056 - $TTL's value starts at position 5 (ldns).
7059 - fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
7062 - Fix #612: create service with service.conf in present directory and
7064 - Fix for mingw compile openssl ranlib.
7067 - updated configure and aclocal with newer autoconf 1.13.
7070 - Fix swig and python examples for Python 3.x.
7071 - Fix for mingw compile with openssl-1.0.1i.
7074 - improve python configuration detection to build on Fedora 22.
7077 - patches to also build with Python 3.x (from Pavel Simerda).
7080 - Fix tcp timer waiting list removal code.
7081 - iana portlist update.
7082 - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
7086 - Fix unit test for CDS typecode.
7089 - type CDS and CDNSKEY types in sldns.
7092 - Fixup checklock code for log lock and its mutual initialization
7094 - iana portlist update.
7095 - Removed necessity for pkg-config from the dnstap.m4, new are
7096 the --with-libfstrm and --with-protobuf-c configure options.
7099 - Update unbound manpage with more explanation (from Florian Obser).
7102 - Fix #603: unbound-checkconf -o <option> should skip verification
7104 - iana portlist update.
7105 - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
7108 - dnstap support, with a patch from Farsight Security, written by
7109 Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
7111 Building with --enable-dnstap needs pkg-config with this patch.
7112 - Noted dnstap in doc/README and doc/CREDITS.
7113 - Changes to the dnstap patch.
7114 - lint fixes.
7115 - dnstap/dnstap_config.h should not have been added to the repo,
7119 - Patch add msg, rrset, infra and key cache sizes to stats command
7121 - iana portlist update.
7124 - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
7126 This adds a module (for module-config in unbound.conf) dns64 that
7128 - Changes from DNS64:
7133 - testdata/dns64_lookup.rpl for unit test for dns64 functionality.
7136 - Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
7140 - Fix endian.h include for OpenBSD.
7143 - And Fix#596: Bail out of unbound-control dump_infra when ssl
7147 - Fix #596: Bail out of unbound-control list_local_zones when ssl
7149 - iana portlist update.
7152 - Configure tests if main can be linked to from getentropy compat.
7155 - Fix getentropy compat code, function refs were not portable.
7156 - Fix to check openssl version number only for OpenSSL.
7157 - LibreSSL provides compat items, check for that in configure.
7158 - Fix bug in fix for log locks that caused deadlock in signal handler.
7159 - update compat/getentropy and arc4random to the most recent ones from OpenBSD.
7162 - fake-rfc2553 patch (thanks Benjamin Baier).
7165 - arc4random in compat/ and getentropy, explicit_bzero, chacha for
7169 - fix strptime implicit declaration error on OpenBSD.
7170 - arc4random, getentropy and explicit_bzero compat for Windows.
7173 - Fix #593: segfault or crash upon rotating logfile.
7176 - DLV tests added.
7177 - signit tool fixup for compile with libldns library.
7178 - iana portlist updated.
7181 - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
7184 - unbound-control status reports if so-reuseport was successful.
7185 - iana portlist updated.
7188 - Fix caps-for-id fallback, and added fallback attempt when servers
7190 - Fixup testsetup for VM tests (run testcode/run_vm.sh).
7193 - iana portlist updated.
7196 - Add AAAA for B root server to default root hints.
7199 - Remove unused define from iterator.h
7202 - Fixup sldns_enum_edns_option typedef definition.
7205 - Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
7207 Generate unbound-control-setup.sh at build time so it respects
7221 no longer used. Add unbound-control-setup.sh to the list of
7225 - Fixup out-of-directory compile with unbound-control-setup.sh.in.
7226 - make depend.
7229 - unbound-host -D enabled dnssec and reads root trust anchor from
7233 - Feature, unblock-lan-zones: yesno that you can use to make unbound
7238 - Updated create_unbound_ad_servers and unbound_cache scripts from
7243 - Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
7244 - iana portlist updated.
7247 - Contrib windows scripts from Yuri Voinov added to src/contrib:
7248 create_unbound_ad_servers.cmd: enters anti-ad server lists.
7250 - Added unbound-control-setup.cmd from Yuri Voinov to the windows
7254 - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
7257 - More #567: remove : from output of stub and forward lists, this is
7261 - iana portlist updated.
7262 - Add unbound-control flush_negative that flushed nxdomains, nodata,
7263 and errors from the cache. For dnssec-trigger and NetworkManager,
7268 - Patch from Jeremie Courreges-Anglas to use arc4random_uniform
7272 - Fix compile with libevent2 on FreeBSD.
7275 - Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
7277 - iana portlist updated.
7280 - iana portlist updated.
7281 - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
7283 - Document that dump_requestlist only prints queries from thread 0.
7284 - unbound-control stats prints num.query.tcpout with number of TCP
7286 - Fix #567: unbound lists if forward zone is secure or insecure with
7289 - Fix #554: use unsigned long to print 64bit statistics counters on
7291 - Fix #558: failed prefetch lookup does not remove cached response
7293 - Fix #545: improved logging, the ip address of the error is printed
7294 on the same log-line as the error.
7297 - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control
7299 - iana portlist updated.
7302 - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
7304 - Fix #572: Fix unit test failure for systems with different
7308 - Fix #569: do_tcp is do-tcp in unbound.conf man page.
7311 - Patch from Stuart Henderson to build unbound-host man from .1.in.
7314 - Fix print filename of encompassing config file on read failure.
7317 - tag 1.4.22
7318 - trunk has 1.4.23 in development.
7321 - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
7325 - tag 1.4.22rc1
7328 - iana portlist updated.
7331 - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
7333 existence in 4592. NSEC empty non-terminals exist and thus the
7339 - Works on Minix (3.2.1).
7342 - Fix parse of #553(NSD) string in sldns, quotes without spaces.
7345 - iana portlist updated.
7346 - add body to ifstatement if locks disabled.
7347 - add TXT string"string" test case to unit test.
7348 - Fix #551: License change "Regents" to "Copyright holder", matching
7352 - sldns has type HIP.
7353 - code documentation on the module interface.
7356 - Fix sldns parse tests on osx.
7359 - Detect libevent2 install automatically by configure.
7360 - Fixup link with lib/event2 subdir.
7361 - Fix parse in sldns of quoted parenthesized text strings.
7364 - unit test for ldns wire to str and back with zones, root, nlnetlabs
7366 - Fix for hex to string in unknown, atma and nsap.
7367 - fixup nss compile (no ldns in it).
7368 - fixup warning in unitldns
7369 - fixup WKS and rdata type service to print unsigned because strings
7371 - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
7375 - delay-close does not act if there are udp-wait queries, so that
7379 - iana portlist updated.
7380 - iana portlist test updated so it does not touch the source
7382 - delay-close: msec option that delays closing ports for which
7385 is open so that no port-denied ICMPs are generated.
7388 - reuseport is attempted, then fallback to without on failure.
7391 - Change unbound-event.h to use void* buffer, length idiom.
7392 - iana portlist updated.
7393 - unbound-event.h is installed if you configure --enable-event-api.
7394 - speed up unbound (reports say it could be up to 10%), by reducing
7396 - so-reuseport: yesno option to distribute queries evenly over
7398 - made lint clean.
7401 - Fix #547: no trustanchor written if filesystem full, fclose checked.
7404 - Fix isprint() portability in sldns, uses unsigned int.
7405 - iana portlist updated.
7408 - fix #544: Fixed +i causes segfault when running with module conf
7410 - Windows port, adjust %lld to %I64d, and warning in win_event.c.
7413 - iana portlist updated.
7416 - Fix bug in cachedump that uses sldns.
7417 - update pythonmod for ldns_ to sldns_ name change.
7420 - Fix sldns to use sldns_ prefix for all ldns_ variables.
7421 - Fix windows compile to compile with sldns.
7424 - Fix sldns to make globals use sldns_ prefix. This fixes
7428 - Fix bug#537: compile python plugin without ldns library.
7431 - Fix bug#536: acl_deny_non_local and refuse_non_local added.
7434 - Patch from Neel Goyal to fix async id assignment if callback
7436 - Accept ip-address: as an alternative for interface: for
7440 - Patch from Neel Goyal to fix callback in libunbound.
7443 - if configured --with-libunbound-only fix make install.
7446 - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
7449 - iana portlist update.
7450 - separate ldns into core ldns inside ldns/ subdirectory. No more
7451 --with-ldns is needed and unbound does not rely on libldns.
7452 - portability fixes for new USE_SLDNS ldns subdir codebase.
7455 - Patch from Neel Goyal: Add an API call to set an event base on an
7461 - Fix #528: if very high logging (4 or more) segfault on allow_snoop.
7464 - unbound-event.h is installed if configured --with-libevent. It
7465 contains low-level library calls, that use libevent's event_base
7470 - 1.4.21 tag created.
7471 - trunk has 1.4.22 number inside it.
7472 - iana portlist updated.
7473 - acx_nlnetlabs.m4 to 26; improve FLTO help text.
7476 - Fix#524: max-udp-size not effective to non-EDNS0 queries, from
7480 - MIN_TTL and MAX_TTL also in time_t.
7481 - tag 1.4.21rc1 made again.
7484 - More fixes for bug#519: for the threaded case test if the bg
7488 - more fixes that I overlooked.
7489 - review fixes from Willem.
7492 - Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
7495 - Fix for 2038, with time_t instead of uint32_t.
7498 - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
7501 - Fix uninit variable in fix#516.
7504 - Fix#516 dnssec lameness detection for answers that are improper.
7507 - tag 1.4.21rc1
7510 - Fix#512 memleak in testcode for testbound (if it fails).
7511 - Fix#512 NSS returned arrays out of setup function to be statics.
7514 - max include of 100.000 files (depth and globbed at one time).
7516 - iana portlist updated.
7519 - streamtcp man page, contributed by Tomas Hozza.
7520 - iana portlist updated.
7521 - libunbound documentation on how to avoid openssl race conditions.
7524 - Squelch sendto-permission denied errors when the network is
7526 - configure --disable-flto option (from Robert Edmonds).
7529 - Fix for const string literals in C++ for libunbound, from Karel
7531 - iana portlist updated.
7534 - Fixup manpage syntax.
7537 - get_option and set_option support for log-time-ascii, python-script
7538 val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect
7542 - get_option, set_option, unbound-checkconf -o and libunbound
7543 getoption and setoption support cache-min-ttl and cache-max-ttl.
7546 - Fix#501: forward-first does not recurse, when forward name is ".".
7547 - iana portlist update.
7548 - Max include depth is unlimited.
7551 - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
7552 patch to it to not fail when -Werror is also specified, from the
7553 autoconf-archives.
7554 - iana portlist update.
7557 - Explain bogus and secure flags in libunbound more.
7560 - Fix#499 use-after-free in out-of-memory handling code (thanks Jake
7562 - Fix#500 use on non-initialised values on socket bind failures.
7565 - Fix round-robin doesn't work with some Windows clients (from Ilya
7569 - update acx_nlnetlabs.m4 to v23, sleep w32 fix.
7572 - add unbound-control insecure_add and insecure_remove for the
7576 - Implement max-udp-size config option, default 4096 (thanks
7578 - Robust checks on dname validity from rdata for dname compare.
7579 - updated iana portlist.
7582 - Fixup snprintf return value usage, fixed libunbound_get_option.
7585 - fix bug #491: pick program name (0th argument) as syslog identity.
7586 - own implementation of compat/snprintf.c.
7589 - Fix so that for a configuration line of include: "*.conf" it is not
7591 - unbound-anchor review: BIO_write can return 0 successfully if it
7595 - Fix queries leaking up for stubs and forwards, if the configured
7599 - code improve for minimal responses, small speed increase.
7602 - updated iana portlist.
7603 - Fix crash in previous private address fixup of 22 March.
7606 - Make reverse zones easier by documenting the nodefault statements
7607 commented-out in the example config file.
7610 - more fixes to lookup3.c endianness detection.
7613 - #492: Fix endianness detection, revert to older lookup3.c detection
7619 - Fix resolve of names that use a mix of public and private addresses.
7620 - iana portlist update.
7621 - Fix makedist for new svn for -d option.
7622 - unbound.h header file has UNBOUND_VERSION_MAJOR define.
7623 - Fix windows RSRC version for long version numbers.
7626 - release 1.4.20
7627 - trunk has 1.4.21
7628 - committed libunbound version 4:1:2 for binary API updated in 1.4.20
7629 - install copy of unbound-control.8 man page for unbound-control-setup
7632 - iana portlist update.
7633 - tag 1.4.20rc1
7636 - Fixup makedist.sh for windows compile.
7639 - iana portlist update.
7640 - testcode/ldns-testpkts.c check for makedist is informational.
7643 - fix defines in lookup3 for bigendian bsd alpha
7646 - Fixup openssl_thread init code to only run if compiled with SSL.
7649 - detect endianness in lookup3 on BSD.
7650 - add libunbound.ttl at end of result structure, version bump for
7653 - update iana port list.
7656 - includes and have_ssl fixes for nss.
7659 - printout name of zone with duplicate fwd and hint errors.
7662 - updated fwd_zero for newer nc. Updated common.sh for newer netstat.
7665 - unbound-anchors checks the emailAddress of the signer of the
7668 - update iana port list.
7671 - Test that unbound-control checks client credentials.
7672 - Test that unbound can handle a CNAME at an intermediate node in
7674 - Check the commonName of the signer of the root.xml file in
7675 unbound-anchor, default is dnssec@iana.org.
7678 - Fix openssl lock free on exit (reported by Robert Fleischman).
7679 - iana portlist updated.
7680 - Tested that unbound implements the RFC5155 Technical Errata id 3441.
7685 - Fix unbound-anchor xml parse of entity declarations for safety.
7688 - iana portlist updated.
7691 - iana portlist updated.
7694 - Change of D.ROOT-SERVERS.NET A address in default root hints.
7697 - 1.4.19 release.
7698 - trunk has 1.4.20 under development.
7701 - note support for AAAA RR type RFC.
7704 - 1.4.19rc1 tag.
7707 - bug 481: fix python example0.
7708 - iana portlist updated.
7711 - iana portlist updated.
7714 - Fix unbound-control forward disables configured stubs below it.
7717 - Fixup ldns-testpkts, identical to ldns/examples.
7718 - iana portlist updated.
7721 - Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
7724 - Fix validation for responses with both CNAME and wildcard
7728 - update ldns-testpkts.c to ldns 1.6.14 version.
7729 - fix build of pythonmod in objdir, for unbound.py.
7730 - make clean and makerealclean remove generated python and docs.
7733 - fix build of pythonmod in objdir (thanks Jakob Schlyter).
7736 - fix text in unbound-anchor man page.
7739 - ignore trusted-keys globs that have no files (from Paul Wouters).
7742 - include: directive in config file accepts wildcards. Patch from
7744 - unbound-control -q option is quiet, patch from Mariano Absatz.
7745 - iana portlist updated.
7746 - updated contrib/unbound.spec, patch from Valentin Bud.
7749 - chdir to / after chroot call (suggested by Camiel Dobbelaar).
7752 - patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
7759 - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
7760 - iana portlist updated.
7763 - Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
7766 - Fallback to 1472 and 1232, one fragment size without headers.
7769 - Fix timeouts so that when a server has been offline for a while
7774 - Add documentation to libunbound for default nonuse of resolv.conf.
7777 - trunk has 1.4.19 under development (fixes from 1 aug and 31 july
7779 - iana portlist updated.
7782 - Fix openssl race condition, initializes openssl locks, reported
7786 - Improved forward-first and stub-first documentation.
7787 - Fix that enables modules to register twice for the same
7790 - Fix forward-first option where it sets the RD flag wrongly.
7791 - added manpage links for libunbound calls (Thanks Paul Wouters).
7794 - tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
7797 - unbound-host works with libNSS
7798 - fix bogus nodata cname chain not reported as bogus by validator,
7802 - iana portlist updated.
7803 - tag 1.4.18rc1.
7806 - review fix for libnss, check hash prefix allocation size.
7809 - fix missing break for GOST DS hash function.
7810 - implemented forward_first for the root.
7813 - Fix bug#452 and another assertion failure in mesh.c, makes
7818 - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
7819 if CFLAGS is specified at configure time then '-g -O2' is not
7823 - Fix libunbound report of errors when in background mode.
7826 - updated iana ports list.
7829 - Add flush_bogus option for unbound-control
7832 - Fix validation of qtype DS queries that result in no data for
7833 non-optout NSEC3 zones.
7836 - compile libunbound with libnss on Suse, passes regression tests.
7839 - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
7842 - updated iana ports list.
7845 - patch for unbound_munin_ script to handle arbitrary thread count by
7849 - detect if openssl has FIPS_mode.
7850 - code review: return value of cache_store can be ignored for better
7852 - fix edns-buffer-size and msg-buffer-size manpage documentation.
7853 - updated iana ports list.
7856 - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
7859 - implement DS records, NSEC3 and ECDSA for compile with libnss.
7862 - fix error handling of alloc failure during rrsig verification.
7863 - nss check for verification failure.
7864 - nss crypto works for RSA and DSA.
7867 - work on --with-nss build option (for now, --with-libunbound-only).
7870 - --with-libunbound-only build option, only builds the library and
7874 - code review.
7877 - implement log-time-ascii on windows.
7878 - The key-cache bad key ttl is now 60 seconds.
7879 - updated iana ports list.
7880 - code review.
7883 - bug #452: fix crash on assert in mesh_state_attachment.
7886 - silence warning from swig-generated code (md set but not used in
7887 swig initmodule, due to ifdefs in swig-generated code).
7890 - Fix debian-bugs-658021: Please enable hardened build flags.
7893 - updated iana ports list.
7896 - tag for 1.4.17 release.
7897 - trunk is 1.4.18 in development.
7900 - Review comments, removed duplicate memset to zero in delegpt.
7903 - Updated doc/FEATURES with RFCs that are implemented but not listed.
7904 - Protect if statements in val_anchor for compile without locks.
7905 - tag for 1.4.17rc1.
7908 - fix configure ECDSA support in ldns detection for windows compile.
7909 - fix possible uninitialised variable in windows pipe implementation.
7912 - Fix alignment problem in util/random on sparc64/freebsd.
7915 - Fix for accept spinning reported by OpenBSD.
7916 - iana portlist updated.
7919 - Fix validation of nodata for DS query in NSEC zones, reported by
7923 - ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
7927 - Applied patch from Daisuke HIGASHI for rrset-roundrobin and
7928 minimal-responses features.
7929 - iana portlist updated.
7932 - fix bug #443: --with-chroot-dir not honoured by configure.
7933 - fix bug #444: setusercontext was called too late (thanks Bjorn
7937 - fix bug #442: Fix that Makefile depends on pythonmod headers
7938 even using --without-pythonmodule.
7941 - contrib/validation-reporter follows rotated log file (patch from
7945 - new approach to NS fetches for DS lookup that works with
7949 - iana portlist updated.
7950 - fix to locate nameservers for DS lookup with NS fetches.
7953 - Patch for access to full DNS packet data in unbound python module
7957 - Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
7960 - flush_infra cleans timeouted servers from the cache too.
7961 - removed warning from --enable-ecdsa.
7964 - forward-first option. Tries without forward if a query fails.
7965 Also stub-first option that is similar.
7968 - Fix from code review, if EINPROGRESS not defined chain if statement
7972 - Fix bug#434: on windows check registry for config file location
7973 for unbound-control.exe, and unbound-checkconf.exe.
7976 - Fix to squelch 'network unreachable' errors from tcp connect in
7980 - iter_hints is now thread-owned in module env, and thus threadsafe.
7981 - Fix prefetch and sticky NS, now the prefetch works. It picks
7988 - Fix forward-zone memory, uses malloc and frees original root dp.
7989 - iter hints (stubs) uses malloc inside for more dynamicity.
7990 - unbound-control forward_add, forward_remove, stub_add, stub_remove
7992 they can also add and remove domain-insecure for the zone.
7995 - Fix sticky NS (ghost domain problem) if prefetch is yes.
7996 - iter forwards uses malloc inside for more dynamicity.
7999 - RT#2955. Fix for cygwin compilation.
8000 - iana portlist updated.
8003 - Slightly smaller critical region in one case in infra cache.
8004 - Fix timeouts to keep track of query type, A, AAAA and other, if
8006 - unit test fix for nomem_cnametopos.rpl race condition.
8009 - Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
8012 - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
8015 been assigned). Needs recent ldns with --enable-ecdsa.
8016 - fix memory leak in errorcase for DSA signatures.
8017 - iana portlist updated.
8018 - workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
8021 - fix for windows, rename() is not posix compliant on windows.
8024 - 1.4.16 release tag.
8025 - svn trunk is 1.4.17 in development.
8026 - iana portlist updated.
8029 - Fix validation failures (like: validation failure xx: no NSEC3
8031 because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
8035 - Fix version-number in libtool to be version-info so it produces
8039 - Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
8040 - trunk 1.4.16; includes changes memset testcode, #424 openindiana,
8042 - applied patch to support outgoing-interface with ub_ctx_set_option.
8045 - Fix memset in test code.
8048 - Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
8051 - Fix to write key files completely to a temporary file, and if that
8055 - tag 1.4.15rc1 created
8056 - updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
8059 - Fix bug where canonical_compare of RRSIG did not downcase the
8060 signer-name. This is mostly harmless because RRSIGs do not have
8064 - bug#428: add ub_version() call to libunbound. API version increase,
8068 - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
8071 - iana portlist updated.
8072 - uninitialised variable in reprobe for rtt blocked domains fixed.
8073 - lintfix and new flex output.
8076 - Fix to randomize hash function, based on 28c3 congress, reported
8080 - Fix for memory leak (about 20 bytes when a tcp or udp send operation
8084 - iana portlist updated.
8087 - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
8089 http://www.unbound.net/downloads/CVE-2011-4528.txt
8090 - robust checks for next-closer NSEC3s.
8091 - tag 1.4.14 created.
8092 - trunk has 1.4.15 in development.
8095 - remove uninit warning from cachedump code.
8096 - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
8099 - iana portlist updated.
8100 - svn tag 1.4.14rc1
8101 - fix infra cache comparison.
8102 - Fix to constrain signer_name to be a parent of the lookupname.
8105 - Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
8106 - Fix warnings with gcc 4.6 in compat/inet_ntop.c.
8107 - Fix warning unused in compat/strptime.c.
8108 - Fix malloc detection and double definition.
8111 - configure generated with autoconf 2.68.
8114 - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
8118 - Fix quartile time estimate, it was too low, (thanks Jan Komissar).
8119 - iana ports updated.
8122 - Makefile compat with SunOS make, BSD make and GNU make.
8123 - iana ports updated.
8126 - Makefile changed for BSD make compatibility.
8129 - added unit test for SSL service and SSL-upstream.
8132 - can configure ssl service to one port number, and not on others.
8133 - fixup windows compile with ssl support.
8134 - Fix double free in unbound-host, reported by Steve Grubb.
8135 - iana portlist updated.
8138 - dns over ssl support as a client, ssl-upstream yes turns it on.
8140 - documentation for new options: ssl-upstream, ssl-service-key and
8141 ssl-service.pem.
8142 - iana portlist updated.
8143 - fix -flto detection on Lion for llvm-gcc.
8146 - dns over ssl support, ssl-service-pem and ssl-service-key files
8150 - lame-ttl and lame-size options no longer exist, it is integrated
8153 - fix iana-update for changing gzip compression of results.
8154 - fix export-all-symbols on OSX.
8157 - iana portlist updated.
8158 - Infra cache stores information about ping and lameness per IP, zone.
8160 - fix iana_update target for gzipped file on iana site.
8163 - Fix resolve of partners.extranet.microsoft.com with a fix for the
8166 - Fix make_new_space function so that the incoming query is not
8172 - fix --enable-allsymbols, fptr wlist is disabled on windows with this
8176 - fix unbound-anchor for broken strptime on OSX lion, detected
8178 - Detect if GOST really works, openssl1.0 on OSX fails.
8179 - Implement ipv6%interface notation for scope_id usage.
8182 - better documentation for inform_super (Thanks Yang Zhe).
8185 - Fix for out-of-memory condition in libunbound (thanks
8189 - Fix --enable-allsymbols, it depended on link specifics of the
8193 - updated contrib/unbound_munin_ to family=auto so that it works with
8194 munin-node-configure automatically (if installed as
8198 - unbound.exe -w windows option for start and stop service.
8201 - TCP-upstream calculates tcp-ping so server selection works if there
8205 - Fix classification of NS set in answer section, where there is a
8206 parent-child server, and the answer has the AA flag for dir.slb.com.
8210 - fix bug #408: accept patch from Steve Snyder that comments out
8212 - iana portlist updated.
8213 - fix EDNS1480 change memleak and TCP fallback.
8214 - fix various compiler warnings (reported by Paul Wouters).
8215 - max sent count. EDNS1480 only for rtt < 5000. No promiscuous
8222 - release 1.4.13.
8223 - trunk contains 1.4.14 in development.
8224 - Unbound probes at EDNS1480 if there an EDNS0 timeout.
8227 - Reverted dns EDNS backoff fix, it did not help and needs
8229 - tag 1.4.13rc2
8232 - Fix operation in ipv6 only (do-ip4: no) mode.
8235 - fedora specfile updated.
8238 - tag 1.4.13rc1
8241 - iana portlist updated.
8244 - Fix num-threads 0 does not segfault, reported by Simon Deziel.
8245 - Fix validation failures due to EDNS backoff retries, the retry
8253 - Applied patch from Karel Slany that fixes a memory leak in the
8257 - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
8263 - Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
8264 - Documented the options that work with control set_option command.
8265 - tcp-upstream yes/no option (works with set_option) for tunnels.
8268 - fix autoconf call in makedist crosscompile to RC or snapshot.
8271 - Fix validation of . DS query.
8272 - new xml format at IANA, new awk for iana_update.
8273 - iana portlist updated.
8276 - Fix python site-packages path to /usr/lib64.
8277 - updated patch from Tom.
8278 - fix memory and fd leak after out-of-memory condition.
8281 - patch from Tom Hendrikx fixes load of python modules.
8284 - make clean had ldns-src reference, removed.
8287 - Fix autoconf 2.68 warnings
8290 - Unbound implements RFC6303 (since version 1.4.7).
8291 - tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
8293 - iana portlist updated.
8296 - Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
8299 - Fix wildcard expansion no-data reply under an optout NSEC3 zone is
8303 - 1.4.12rc1 tag created.
8306 - version number in example config file.
8307 - fix that --enable-static-exe does not complain about it unknown.
8310 - tag relase 1.4.11, trunk is 1.4.12 development.
8311 - iana portlist updated.
8312 - fix bug#395: id bits of other query may leak out under conditions
8313 - fix replyaddr count wrong after jostled queries, which leads to
8315 - fix comment about rndc port, that referred to the old port number.
8316 - fix that the listening socket is not closed when too many remote
8318 - removed ldns-src tarball inside the unbound tarball.
8321 - Changed -flto check to support clang compiler.
8322 - tag 1.4.11rc3 created.
8325 - tag 1.4.11rc1 created.
8326 - remove warning about signed/unsigned from flex (other flex version).
8327 - updated aclocal.m4 and libtool to match.
8328 - tag 1.4.11rc2 created.
8331 - log-queries: yesno option, default is no, prints querylog.
8332 - version is 1.4.11.
8335 - Use -flto compiler flag for link time optimization, if supported.
8336 - iana portlist updated.
8339 - IPv6 service address for d.root-servers.net (2001:500:2D::D).
8342 - unbound-control has version number in the header,
8344 - Unbound control port number is registered with IANA:
8345 ub-dns-control 8953/tcp unbound dns nameserver control
8346 This is the new default for the control-port config setting.
8347 - statistics-interval prints the number of jostled queries to log.
8350 - Fix Makefile for U in environment, since wrong U is more common than
8352 - iana portlist updated.
8353 - updated ldns tarball to 1.6.10rc2 snapshot of today.
8356 - Fix assertion failure when unbound generates an empty error reply
8357 in response to a query, CVE-2011-1922 VU#531342.
8358 - This fix is in tag 1.4.10.
8359 - defense in depth against the above bug, an error is printed to log
8363 - bug#386: --enable-allsymbols option links all binaries to libunbound
8365 - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
8366 - iana portlist updated.
8367 - Fix TTL of SOA so negative TTL is separately cached from normal TTL.
8370 - configure created with newer autoconf 2.66.
8373 - bug#378: Fix that configure checks for ldns_get_random presence.
8376 - iana portlist updated.
8377 - queries with CD flag set cause DNSSEC validation, but the answer is
8381 - val-override-date: -1 ignores dates entirely, for NTP usage.
8384 - harden-below-nxdomain: changed so that it activates when the
8389 - iana portlist updated.
8390 - release 1.4.9.
8391 - trunk is 1.5.0
8394 - bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
8395 Applied but did not do the --disable-gost.
8398 - tag 1.4.9 release candidate 1 created.
8401 - updated ldns to today.
8404 - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
8405 - give config parse error for multiple names on a stub or forward zone.
8406 - updated ldns tarball to 1.6.9(todays snapshot).
8409 - bug #361: Fix, time.elapsed variable not reset with stats_noreset.
8412 - iana portlist updated.
8413 - common.sh to version 3.
8416 - common.sh in testdata updated to version 2.
8419 - Added explicit note on unbound-anchor usage:
8420 Please note usage of unbound-anchor root anchor is at your own risk
8424 - iana portlist updated.
8425 - tpkg updated with common.sh for common functionality.
8428 - Added regression test for addition of a .net DS to the root, and
8430 - iana portlist updated.
8433 - Fix remove private address does not throw away entire response.
8436 - release 1.4.8
8439 - fix bug#349: no -L/usr for ldns.
8442 - ldns 1.6.8 tarball included.
8443 - release 1.4.8rc1.
8446 - add get and set option for harden-below-nxdomain feature.
8447 - iana portlist updated.
8450 - Fix so a changed NS RRset does not get moved name stuck on old
8454 - Fix prefetch so it does not get stuck on old server for moved names.
8457 - iana portlist updated.
8460 - Fix insecure CNAME sequence marked as secure, reported by Bert
8464 - faster lruhash get_mem routine.
8467 - bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
8468 - iana portlist updated.
8471 - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
8474 - algorithm compromise protection using the algorithms signalled in
8476 and thus, if you have multiple algorithms in your trust-anchor-file
8478 for algorithms needs to be double-signature until the old algorithm
8481 - iana portlist updated.
8484 - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
8485 - fix validation in this case: CNAME to nodata for co-hosted opt-in
8489 - Fix our 'BDS' license (typo reported by Xavier Belanger).
8492 - iana portlist updated.
8493 - review changes for unbound-anchor.
8496 - feature typetransparent localzone, does not block other RR types.
8499 - Fix bug#338: print address when socket creation fails.
8502 - Fix storage of EDNS failures in the infra cache.
8503 - iana portlist updated.
8506 - harden-below-nxdomain option, default off (because very old
8511 - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
8512 - make test output nicer.
8515 - silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
8516 - iana portlist updated.
8517 - so-sndbuf option for very busy servers, a bit like so-rcvbuf.
8520 - unbound-anchor compiles with openssl 0.9.7.
8523 - release tag 1.4.7.
8524 - trunk is version 1.4.8.
8525 - Be lenient and accept imgw.pl malformed packet (like BIND).
8528 - do not synthesize a CNAME message from cache for qtype DS.
8531 - Use central entropy to seed threads.
8534 - Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
8537 - tag 1.4.7rc1.
8538 - code review.
8541 - GOST code enabled by default (RFC 5933).
8544 - Fix uninit value in dump_infra print.
8545 - Fix validation failure for parent and child on same server with an
8547 - Configure detects libev-4.00.
8550 - dump_infra and flush_infra commands for unbound-control.
8551 - no timeout backoff if meanwhile a query succeeded.
8552 - Change of timeout code. No more lost and backoff in blockage.
8558 - Configure errors if ldns is not found.
8561 - Windows 7 fix for the installer.
8564 - Fix bug where fallback_tcp causes wrong roundtrip and edns
8567 - new unresponsive host method, exponentially increasing block backoff.
8568 - iana portlist updated.
8571 - interface automatic works for some people with ip6 disabled.
8575 - Fix for request list growth, if a server has long timeout but the
8583 - iana portlist updated.
8586 - Fix TCP so it uses a random outgoing-interface.
8587 - unbound-anchor handles ADDPEND keystate.
8590 - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
8593 - iana portlist updated.
8594 - ldns tarball updated (for reading cachedumps with bad RR data).
8597 - test for unbound-anchor. fix for reading certs.
8598 - Fix alloc_reg_release for longer uptime in out of memory conditions.
8601 - unbound-anchor working, it creates or updates a root.key file.
8605 - iana portlist updated.
8608 - bug#329: in example.conf show correct ipv4 link-local 169.254/16.
8611 - unbound-anchor app, unbound requires libexpat (xml parser library).
8614 - compliance with draft-ietf-dnsop-default-local-zones-14, removed
8616 - iana portlist updated.
8619 - DLV has downgrade protection again, because the RFC says so.
8620 - iana portlist updated.
8623 - Algorithm rollover operational reality intrudes, for trust-anchor,
8624 5011-store, and DLV-anchor if one key matches it's good enough.
8625 - iana portlist updated.
8626 - Fix reported validation error in out of memory condition.
8629 - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
8632 - increased mesh-max-activation from 1000 to 3000 for crazy domains
8634 - iana portlist updated.
8637 - bug#327: Fix for cannot access stub zones until the root is primed.
8640 - unresponsive servers are not completely blacklisted (because of
8643 - iana portlist updated.
8646 - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
8652 - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
8655 - example.conf notes how to do DNSSEC validation and track the root.
8656 - iana portlist updated.
8659 - Fix bug#322: configure does not respect CFLAGS on Solaris.
8660 Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
8661 if use sun-cc, but some systems need different flags.
8664 - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
8666 - make test (or make check) should be more portable and run the unit
8670 - More pleasant remote control command parsing.
8671 - documentation added for return values reported by doxygen 1.7.1.
8672 - iana portlist updated.
8675 - Fix name of rrset printed that failed validation.
8678 - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
8681 - Fix validation in case a trust anchor enters into a zone with
8685 - updated ldns tarball with bugfixes.
8686 - release tag 1.4.6.
8687 - trunk becomes 1.4.7 develop.
8688 - iana portlist updated.
8691 - more error details on failed remote control connection.
8694 - rlimit adjustments for select and ulimit can happen at the same time.
8697 - Donation text added to README.
8698 - Fix integer underflow in prefetch ttl creation from cache. This
8702 - Changed the defaults for num-queries-per-thread/outgoing-range.
8703 For builtin-select: 512/960, for libevent 1024/4096 and for
8709 - GOST enabled if SSL is recent and ldns has GOST enabled too.
8710 - ldns tarball updated.
8713 - iana portlist updated.
8714 - Fix validation of qtype DNSKEY when a key-cache entry exists but
8715 no rr-cache entry is used (it expired or prefetch), it then goes
8716 back up to the DS or trust-anchor to validate the DNSKEY.
8719 - Neat function prototypes, unshadowed local declarations.
8722 - failure to chown the pidfile is not fatal any more.
8723 - testbound uses UTC timezone.
8724 - ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
8728 - log if a server is skipped because it is on the donotquery list,
8730 - added feature to print configure date, target and options with -h.
8731 - added feature to print event backend system details with -h.
8732 - wdiff is not actually required by make test, updated requirements.
8735 - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
8740 - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
8747 - Fix the max number of reply-address count to be applied for duplicate
8752 - Fix handling of corner case reply from lame server, follows rfc2308.
8754 for a non-lame server turned up other misconfigured servers.
8755 - unbound.h has extern "C" statement for easier include in c++.
8758 - iana portlist updated.
8759 - makedist upgraded cross compile openssl option, like this:
8760 ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
8763 - Unbound reports libev or libevent correctly in logs in verbose mode.
8764 - Fix to unload gost dynamic library module for leak testing.
8767 - iana portlist updated.
8770 - Add AAAA to root hints for I.ROOT-SERVERS.NET.
8773 - Fix assertion failure reported by Kai Storbeck from XS4ALL, the
8775 - updated ldns tarball.
8778 - tag 1.4.5 created.
8779 - trunk contains 1.4.6 in development.
8780 - Fix TCPreply on systems with no writev, if just 1 byte could be sent.
8781 - Fix to use one pointer less for iterator query state store_parent_NS.
8782 - makedist crosscompile to windows uses builtin ldns not host ldns.
8783 - Max referral count from 30 to 130, because 128 one character domains
8785 - added documentation for the histogram printout to syslog.
8788 - When retry to parent the retrycount is not wiped, so failed
8790 - iana portlist updated.
8793 - Fix bug where a long loop could be entered, now cycle detection
8794 has a loop-counter and maximum search amount.
8797 - iana portlist updated.
8798 - 1.4.5rc1 tag created.
8801 - ldns tarball updated, 1.6.5.
8802 - review comments, split dependency cycle tracking for parentside
8806 - Fix compile warning if compiled without threads.
8807 - updated ldns-tarball with current ldns svn (pre 1.6.5).
8808 - GOST disabled-by-default, the algorithm number is allocated but the
8812 - Ignore Z flag in incoming messages too.
8813 - Fix storage of negative parent glue if that last resort fails.
8814 - libtoolize 2.2.6b, autoconf 2.65 applied to configure.
8815 - new splint flags for newer splint install.
8818 - Fix AD flag handling, it could in some cases mistakenly copy the AD
8820 - alloc_special_obtain out of memory is not a fatal error any more,
8822 - parentside names are dispreferred but not said to be dnssec-lame.
8823 - parentside check for cached newname glue.
8824 - fix parentside and querytargets modulestate, for dump_requestlist.
8825 - unbound-control-setup makes keys -rw-r--- so not all users permitted.
8826 - fix parentside from cache to be marked dispreferred for bad names.
8829 - iana portlist updated.
8830 - parent-child disagreement approach altered. Older fixes are
8834 parent if possible. Additionally the loop-counter is used.
8843 - Contribution from Migiel de Vos (Surfnet): nagios patch for
8844 unbound-host, in contrib/ (in the source tarball). Makes
8845 unbound-host suitable for monitoring dnssec(-chain) status.
8848 - EDNS timeout code will not fire if EDNS status already known.
8849 - EDNS failure not stored if EDNS status known to work.
8852 - Fix resolution for domains like safesvc.com.cn. If the iterator
8857 - Fix comments in iter_utils:dp_is_useless.
8860 - Fix various compiler warnings from the clang llvm compiler.
8861 - iana portlist updated.
8864 - Fix bug#308: spelling error in variable name in parser and lexer.
8867 - Fix dnssec-missing detection that was turned off by server selection.
8868 - Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
8869 reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
8870 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
8873 - Fix for dnssec lameness detection to use the key cache.
8874 - infra cache entries that are expired are wiped clean. Previously
8878 - ldns tarball updated and GOST support is detected and then enabled.
8879 - iana portlist updated.
8880 - Fix detection of gost support in ldns (reported by Chris Smith).
8883 - unbound-control get_option domain-insecure shows config file items.
8884 - fix retry sequence if prime hints are recursion-lame.
8885 - autotrust anchor file can be initialized with a ZSK key as well.
8886 - harden-referral-path does not result in failures due to max-depth.
8887 You can increase the max-depth by adding numbers (' 0') after the
8888 target-fetch-policy, this increases the depth to which is checked.
8891 - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
8893 - if libev is installed on the base system (not libevent), detect
8894 it from the event.h header file and link with -lev.
8895 - configlexer.lex gets config.h, and configyyrename.h added by make,
8897 - More strict scrubber (Thanks to George Barwood for the idea):
8899 - Fix bug#307: In 0x20 backoff fix fallback so the number of
8900 outstanding queries does not become -1 and block the request.
8901 Fixed handling of recursion-lame in combination with 0x20 fallback.
8903 comparison fails, this makes it work around round-robin sites.
8906 - Squelch log message: sendto failed permission denied for
8908 - Fix to fetch data as last resort more tenaciously. When cycle
8911 - Fix fetch from blacklisted dnssec lame servers as last resort. The
8913 - Fix local-zone type redirect that did not use the query name for
8917 - tag 1.4.4.
8918 - trunk contains 1.4.5 in development.
8919 - Fix validation failure for qtype ANY caused by a RRSIG parse failure.
8923 - more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
8924 - tag 1.4.4rc1.
8927 - ECC-GOST algorithm number 12 that is assigned by IANA. New test
8928 example key and signatures for GOST. GOST requires openssl-1.0.0.
8932 - Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
8935 - Fix chain of trust with CNAME at an intermediate step, for the DS
8939 - Fix validation of queries with wildcard names (*.example).
8942 - Fix EDNS probe for .de DNSSEC testbed failure, where the infra
8946 - GOST support with correct algorithm numbers.
8949 - iana portlist updated.
8952 - unbound control flushed items are not counted when flushed again.
8955 - iana portlist updated.
8958 - unbound-host disables use-syslog from config file so that the
8960 - fix bug#301: unbound-checkconf could not parse interface
8964 - fix fwd_ancil test to pass if the socket options are not supported.
8967 - Fixed random numbers for port, interface and server selection.
8969 - Refer to the listing in unbound-control man page in the extended
8973 - Fix interface-automatic for OpenBSD: msg.controllen was too small,
8975 - check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
8976 - for NSEC3 check if signatures are cached.
8979 - unit test for util/regional.c.
8982 - Reordered configure checks so fork and -lnsl -lsocket checks are
8984 - iana portlist updated.
8985 - ldns tarball updated.
8986 - Fix python use when multithreaded.
8987 - Fix solaris python compile.
8988 - Include less in config.h and include per code file for ldns, ssl.
8991 - another memory allocation option: --enable-alloc-nonregional.
8993 - fix for memory alignment in struct sock_list allocation.
8994 - Fix for MacPorts ldns without ssl default, unbound checks if ldns
8996 - Fix daemonize on Solaris 10, it did not detach from terminal.
8997 - tag 1.4.3 created.
8998 - trunk is 1.4.4 in development.
8999 - spelling fix in validation error involving cnames.
9002 - --enable-alloc-lite works with test set.
9003 - portability in the testset: printf format conversions, prototypes.
9006 - tag 1.4.2 created.
9007 - trunk is 1.4.3 in development.
9008 - --enable-alloc-lite debug option.
9011 - iana portlist updated.
9014 - Fix crash in control channel code.
9017 - better casts in pipe code, brackets placed wrongly.
9018 - iana portlist updated.
9021 - make install depends on make all.
9022 - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
9023 - --enable-checking: enables assertions but does not look nonproduction.
9024 - nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
9026 - ldns tarball updated.
9027 - --disable-rpath fixed for libtool not found errors.
9028 - new fedora specfile from Fedora13 in contrib from Paul Wouters.
9031 - Fixup prototype for lexer cleanup in daemon code.
9032 - unbound-control list_stubs, list_forwards, list_local_zones and
9036 - Fix scrubber bug that potentially let NS records through. Reported
9038 - Also delete potential poison references from additional.
9039 - Fix: no classification of a forwarder as lame, throw away instead.
9042 - libunbound ub_ctx_get_option() added.
9043 - unbound-control set_option and get_option commands.
9044 - iana portlist updated.
9047 - A little more strict DS scrubbing.
9048 - No more blacklisting of unresponsive servers, a 2 minute timeout
9050 - RD flag not enabled for dnssec-blacklisted tries, unless necessary.
9051 - pickup ldns compile fix, libdl for libcrypto.
9052 - log 'tcp connect: connection timed out' only in high verbosity.
9053 - unbound-control log_reopen command.
9054 - moved get_option code from unbound-checkconf to util/config_file.c
9057 - Disregard DNSKEY from authority section for chain of trust.
9058 DS records that are irrelevant to a referral scrubbed. Anti-poison.
9059 - iana portlist updated.
9062 - Check for 'no space left on device' (or other errors) when
9066 - Fixed the requery protection, the TTL was 0, it is now 900 seconds,
9072 - Re-query pattern changed on validation failure. To protect troubled
9079 - ldns tarball update for long label length syntax error fix.
9080 - iana portlist updated.
9083 - Fixup in compat snprintf routine, %f 1.02 and %g support.
9084 - include math.h for testbound test compile portability.
9087 - Updated url of IANA itar, interim trust anchor repository, in script.
9090 - iana portlist updated.
9091 - configure test for memcmp portability.
9094 - removed warning on format string in validator error log statement.
9095 - iana portlist updated.
9098 - libtool finish the install of unbound python dynamic library.
9101 - acx_nlnetlabs.m4 synchronised with nsd's version.
9104 - Fixup lookup trouble for parent-child domains on the first query.
9107 - Fixup ldns detection to also check for header files.
9110 - prefetch-key option that performs DNSKEY queries earlier in the
9115 - Fix unbound-checkconf for auto-trust-anchor-file present checks.
9118 - Fix for parent-child disagreement code which could have trouble
9120 were different. There were two bugs, the parent-side information
9124 - test and fixes to make prefetch actually store the answer in the
9129 - Fixup python documentation (thanks Leo Vandewoestijne).
9130 - Work on cache prefetch feature.
9131 - Stats for prefetch, in log print stats, unbound-control stats
9135 - iana portlist updated.
9136 - bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
9137 - verbose output includes parent-side-address notion for lameness.
9138 - documented val-log-level: 2 setting in example.conf and man page.
9139 - change unbound-control-setup from 1024(sha1) to 1536(sha256).
9142 - iana portlist updated.
9145 - configure with newer libtool 2.2.6b.
9148 - review comments.
9149 - tag 1.4.1.
9150 - trunk to version 1.4.2.
9153 - Answer to qclass=ANY queries, with class IN contents.
9155 - updated ldns snapshot tarball with latest fixes (parsing records).
9158 - on IPv4 UDP turn off DF flag.
9161 - requirements.txt updated with design choice explanations.
9162 - Reading fixes: fix to set unlame when child confirms parent glue,
9164 - verify_rrsig routine checks expiration last.
9167 - Fix Bug#287(reopened): update of ldns tarball with fix for parse
9169 - Fix SOA excluded from negative DS responses. Reported by Hauke
9173 - Fix negative cache lookup of closestencloser check of DS type bit.
9176 - Fix for lookup of parent-child disagreement domains, where the
9177 parent-side glue works but it does not provide proper NS, A or AAAA
9179 - Feature: you can specify a port number in the interface: line, so
9183 - Bug#287: Fix segfault when unbound-control remove nonexistent local
9187 - Fix crash with module-config "iterator".
9188 - Added unit test that has "iterator" module-config.
9191 - bug#284: fix parse of # without end-of-line at end-of-file.
9194 - updated ldns with release candidate for version 1.6.3.
9195 - tag for 1.4.0 release.
9196 - 1.4.1 version in trunk.
9197 - Fixup major libtool version to 2 because of why_bogus change.
9201 - Patch from David Hubbard for libunbound manual page.
9202 - Fixup endless spinning in unbound-control stats reported by
9206 - contrib/split-itar.sh contributed by Tom Hendrikx.
9209 - better argument help for unbound-control.
9210 - iana portlist updated.
9213 - noted multiple entries for multiple domain names in example.conf.
9214 - iana portlist updated.
9217 - Fixed signer detection of CNAME responses without signatures.
9218 - Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
9219 - Tests for CNAMEs to deeper trust anchors, secure and bogus.
9220 - svn tag 1.4.0rc1 made.
9223 - Fixed validation failure for CNAME to optout NSEC3 nodata answer.
9224 - unbound-host does not fail on type ANY.
9225 - Fixed wireparse failure to put RRSIGs together with data in some
9229 - iana portlist updated.
9230 - fix manpage errors reported by debian lintian.
9231 - review comments.
9232 - fixup very long vallog2 level error strings.
9235 - ldns tarball updated (to 1.6.2).
9236 - review comments.
9239 - Thanks to Surfnet found bug in new dnssec-retry code that failed
9241 - Fixed unbound-control -h output about argument optionality.
9242 - review comments.
9245 - lint fixes and portability tests.
9246 - better error text for multiple domain keys in one autotrust file.
9249 - Fix bug where autotrust does not work when started with a DS.
9250 - Updated GOST unit tests for unofficial algorithm number 249
9251 and DNSKEY-format changes in draft version -01.
9254 - iana portlist updated.
9255 - edns-buffer-size option, default 4096.
9256 - fixed do-udp: no.
9259 - removed abort on prealloc failure, error still printed but softfail.
9260 - iana portlist updated.
9261 - RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
9262 - ldns tarball updated (which also enables rsasha256 support).
9265 - iana portlist updated.
9268 - please doxygen
9269 - add val-log-level print to corner case (nameserver.epost.bg).
9270 - more detail to errors from insecure delegation checks.
9271 - Fix double time subtraction in negative cache reported by
9273 - Made new validator error string available from libunbound for
9274 applications. It is in result->why_bogus, a zero-terminated string.
9275 unbound-host prints it by default if a result is bogus.
9279 - retry for validation failure in DS and prime results. Less mem use.
9281 - retry for validation failure in DNSKEY in middle of chain of trust.
9283 - retry for empty non terminals in chain of trust and unit test.
9284 - Fixed security bug where the signatures for NSEC3 records were not
9287 - moved version number to 1.4.0 because of 1.3.4 release with only
9289 - val-log-level: 2 shows extended error information for validation
9297 - Test set updated to provide additional ns lookup result.
9302 - first validation failure retry code. Retries for data failures.
9306 - improve 5011 modularization.
9307 - fix unbound-host so -d can be given before -C.
9308 - iana portlist updated.
9311 - autotrust-anchor-file can read multiline input and $ORIGIN.
9312 - prevent integer overflow in holddown calculation. review fixes.
9313 - fixed race condition in trust point revocation. review fix.
9314 - review fixes to comments, removed unused code.
9317 - so-rcvbuf: 4m option added. Set this on large busy servers to not
9319 netstat -su keeps a counter of UDP dropped due to full buffers.
9320 - review of validator/autotrust.c, small fixes and comments.
9323 - 5011 query failed counts verification failures, not lookup failures.
9324 - 5011 probe failure handling fixup.
9325 - test unbound reading of original autotrust data.
9326 The metadata per-key, such as key state (PENDING, MISSING, VALID) is
9330 - autotrust test with algorithm rollover, new ordering of checks
9332 - autotrust test with algorithm rollover to unknown algorithm.
9334 - autotrust test with trust point revocation, becomes unsigned.
9335 - fix DNSSEC-missing-signature detection for minimal responses
9339 - autotrust tests, fix trustpoint timer deletion code.
9341 - autotrust: pick up REVOKE even if not signed with known other keys.
9344 - fix compile of unbound-host when --enable-alloc-checks.
9345 - Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
9346 - Manual page fixes reported by Tony Finch.
9349 - Fix memory leak reported by Tao Ma.
9350 - Fix memstats test tool for log-time-ascii log format.
9353 - iana portlist updated.
9356 - increased MAXSYSLOGLEN so .bg key can be printed in debug output.
9357 - use linebuffering for log-file: output, this can be significantly
9363 - Fix bug where DNSSEC-bogus messages were marked with too high TTL.
9366 - regression test for that bug.
9367 - documented that load_cache is meant for debugging.
9370 - fixup printing errors when load_cache, they were printed to the
9372 - new ldns - with fixed parse of large SOA values.
9375 - autotrust testbound scenarios.
9376 - autotrust fix that failure count is written to file.
9377 - autotrust fix that keys may become valid after add holddown time
9381 - Changes to make unbound work with libevent-2.0.3 alpha. (in
9383 - do not call sphinx for documentation when python is disabled.
9384 - remove EV_PERSIST from libevent timeout code to make the code
9385 compatible with the libevent-2.0. Works with older libevent too.
9386 - fix memory leak in python code.
9389 - Got a patch from Luca Bruno for libunbound support on windows to
9391 - included ldns updated (enum warning fixed).
9392 - makefile fix for parallel makes.
9393 - Patch from Zdenek Vasicek and Attila Nagy for using the source IP
9395 - doxygen comment fixes.
9398 - TRAFFIC keyword for testbound. Simplifies test generation.
9400 - test with 5011-prepublish rollover and revocation.
9401 - fix revocation of RR for autotrust, stray exclamation mark.
9404 - testbound variable arithmetic.
9405 - autotrust probe time is randomised.
9406 - autotrust: the probe is active and does not fetch from cache.
9409 - testbound variable processing.
9412 - fixup unbound-control lookup to print forward and stub servers.
9415 - autotrust: mesh answer callback is empty.
9418 - autotrust probing.
9419 - iana portlist updated.
9422 - fixup memleak in trust anchor unsupported algorithm check.
9423 - iana portlist updated.
9424 - autotrust options: add-holddown, del-holddown, keep-missing.
9425 - autotrust store revoked status of trust points.
9426 - ctime_r compat definition.
9427 - detect yylex_destroy() in configure.
9428 - detect SSL_get_compression_methods declaration in configure.
9429 - fixup DS lookup at anchor point with unsigned parent.
9430 - fixup DLV lookup for DS queries to unsigned domains.
9433 - cleaner memory allocation on exit. autotrust test routines.
9434 - free all memory on program exit, fix for ssl and flex.
9437 - autotrust: debug routines. Read,write and conversions work.
9440 - autotrust: save and read trustpoint variables.
9443 - autotrust: state table updates.
9444 - iana portlist updated.
9447 - autotrust: process events.
9450 - Fix so that servers are only blacklisted if they fail to reply
9452 - autotrust work, split up DS verification of DNSKEYs.
9455 - unbound-control lookup prints out infra cache information, like RTT.
9456 - Fix bug in DLV lookup reported by Amanda from Secure64.
9461 - autotrust read anchor files. locked trust anchors.
9464 - autotrust import work.
9467 - Check for openssl compatible with gost if enabled.
9468 - updated unit test for GOST=211 code.
9470 - iana portlist updated.
9473 - call OPENSSL_config() in unbound and unit test so that the
9475 - removed small memory leak from config file reader.
9478 - configure --enable-gost for GOST support, experimental
9479 implementation of draft-dolmatov-dnsext-dnssec-gost-01.
9480 - iana portlist updated.
9481 - ldns tarball updated (with GOST support).
9484 - trunk moved to 1.3.4.
9487 - Added test that the examples from draft rsasha256-14 verify.
9488 - iana portlist updated.
9489 - tagged 1.3.3
9492 - nicer warning when algorithm not supported, tells you to upgrade.
9493 - iana portlist updated.
9496 - Updated unbound-cacti contribution from Dmitriy Demidov, with
9498 - iana portlist updated.
9501 - Fix bug found by Michael Tokarev where unbound would try to
9504 - tagged 1.3.3rc1
9507 - Fix server selection, so that it waits for open target queries when
9511 - Ignore transient sendto errors, no route to host, and host, net down.
9512 - contrib/update-anchor.sh has -r option for root-hints.
9513 - feature val-log-level: 1 prints validation failures so you can
9517 - fix replacement malloc code. Used in crosscompile.
9518 - makedist -w creates crosscompiled setup.exe on fedora11.
9521 - dependencies for compat items, for crosscompile.
9522 - mingw32 crosscompile changes, dependencies and zipfile creation.
9524 - package libgcc_s_sjlj exception handler for NSISdl.dll.
9527 - updated ldns tarball for solaris x64 compile assistance.
9528 - no need to define RAND_MAX from config.h.
9529 - iana portlist updated.
9530 - configure changes and ldns update for mingw32 crosscompile.
9533 - Fix for crash at start on windows.
9534 - tag for release 1.3.2.
9535 - trunk has version 1.3.3.
9536 - Fix for ID bits on windows to use all 16. RAND_MAX was not
9540 - tag for release 1.3.1.
9541 - trunk has version 1.3.2.
9544 - iana portlist updated.
9547 - prettier error handling in SSL setup.
9548 - makedist.sh uname fix (same as ldns).
9549 - updated fedora spec file.
9552 - fixup linking when ldnsdir is "".
9555 - more lenient truncation checks.
9558 - ldns trunk r2959 imported as tarball, because of solaris cc compile
9560 - better wrongly_truncated check.
9561 - On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
9565 - Fix EDNS fallback when EDNS works for short answers but long answers
9569 - fixup iter priv strict aliasing while preserving size of sockaddr.
9570 - iana portlist updated. (one less port allocated, one more fraction
9572 - updated fedora specfile in contrib from Paul Wouters.
9575 - Fixup strict aliasing warning in iter priv code.
9577 - iana portlist updated.
9578 - harden-referral-path: handle cases where NS is in answer section.
9581 - Fix of message parse bug where (specifically) an NSEC and RRSIG
9584 - Extreme lenience for wrongly truncated replies where a positive
9587 - autoconf 2.63 for configure.
9588 - python warnings suppress. Keep python API away from header files.
9591 - CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
9595 - Fixup opportunistic target query generation to it does not
9597 - Touchup on munin total memory report.
9598 - messages picked out of the cache by the iterator are checked
9603 - iana portlist updated.
9606 - Fixed bug where cached responses would lose their security
9611 - bug #254. removed random whitespace from example.conf.
9614 - Fixup potential wrong NSEC picked out of the cache.
9615 - If unfulfilled callbacks are deleted they are called with an error.
9616 - fptr wlist checks for mesh callbacks.
9617 - fwd above stub in configuration works.
9620 - Fix queries for type DS when forward or stub zones are there.
9626 - Added build-unbound-localzone-from-hosts.pl to contrib, from
9628 - same thing fixed for forward-zone and DS, chain of trust from
9629 public internet into the forward-zone works now. Added unit test.
9632 - openssl key files are opened apache-style, when user is root and
9633 before chrooting. This makes permissions on remote-control key
9635 - flush_type and flush_name remove msg cache entries.
9636 - codereview - dp copy bogus setting fix.
9639 - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
9641 - 1.3.0 tarball for release created.
9642 - 1.3.1 development in svn trunk.
9643 - iana portlist updated.
9644 - fix lint from complaining on ldns/sha.h.
9645 - help compiler figure out aliasing in priv_rrset_bad() routine.
9646 - fail to configure with python if swig is not found.
9647 - unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
9650 - fixup bad free() when wrongly encoded DSA signature is seen.
9652 - review comments from Matthijs.
9655 - --enable-sha2 option. The draft rsasha256 changed its algorithm
9658 - ldns trunk included as new tarball.
9659 - recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
9662 - fixup doc bug in README reported by Matthew Dempsky.
9665 - update iana port list
9666 - update ldns lib tarball
9669 - detect lack of IPv6 support on XP (with a different error code).
9670 - Fixup a crash-on-exit which was triggered by a very long queue.
9671 Unbound would try to re-use ports that came free, but this is
9675 - change in debug statements.
9676 - Fixed bug that could cause a crash if root prime failed when there
9680 - Thanks again to Brett Carr, found an assertion that was not true.
9684 - Thanks to Brett Carr, caught windows resource leak, use
9687 - Removed usage of windows Mutex because windows cannot handle enough
9691 - created svn tag for 1.3.0.
9694 - optimised cname from cache.
9695 - ifdef windows functions in testbound.
9698 - fix for threadsafety in solaris thr_key_create() in tests.
9699 - iana portlist updated.
9700 - fix pylib test for Darwin.
9701 - fix pymod test for Darwin and a python threading bug in pymod init.
9702 - check python >= 2.4 in configure.
9703 - -ldl check for libcrypto 1.0.0beta.
9706 - fix for build outside sourcedir.
9707 - fix for configure script swig detection.
9710 - Fix reentrant in minievent handler for unix. Could have resulted
9712 - timers do not take up a fd slot for winsock handler.
9713 - faster fix for winsock reentrant check.
9714 - fix rsasha512 unit test for new (interim) algorithm number.
9715 - fix test:ldns doesn't like DOS line endings in keyfiles on unix.
9716 - fix compile warning on ubuntu (configlexer fwrite return value).
9717 - move python include directives into CPPFLAGS instead of CFLAGS.
9720 - winsock event handler exit very quickly on signal, even if
9722 - iana portlist updated.
9723 - fixup windows winsock handler reentrant problem.
9726 - bug #245: fix munin plugin, perform cleanup of stale lockfiles.
9727 - makedist.sh; better help text.
9728 - cache-min-ttl option and tests.
9729 - mingw detect error condition on TCP sockets (NOTCONN).
9732 - Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
9733 - ldns tarball updated.
9734 - iana portlist update.
9735 - detect GOST support in openssl-1.0.0-beta1, and fix compile problem
9739 - windows compile fix.
9740 - Detect FreeBSD jail without ipv6 addresses assigned.
9741 - python libunbound wrapper unit test.
9742 - installs the following files. Default is to not build them.
9743 from configure --with-pythonmodule:
9744 /usr/lib/python2.x/site-packages/unboundmodule.py
9745 from configure --with-pyunbound:
9746 /usr/lib/python2.x/site-packages/unbound.py
9747 /usr/lib/python2.x/site-packages/_unbound.so*
9750 - python invalidate routine respects packed rrset ids and locks.
9751 - clock skew checks in unbound, config statements.
9752 - nxdomain ttl considerations in requirements.txt
9755 - Fixed a bug that caused messages to be stored in the cache too
9758 - documentation test fixed for python addition.
9761 - pyunbound (libunbound python plugin) compiles using libtool.
9762 - documentation for pythonmod and pyunbound is generated in doc/html.
9763 - iana portlist updated.
9764 - fixed bug in unbound-control flush_zone where it would not flush
9767 - python module test package.
9770 - suppress errors when trying to contact authority servers that gave
9774 - new libunbound calls documented.
9775 - pyunbound in libunbound/python. Removed compile warnings.
9779 - Fixup LDFLAGS from libevent sourcedir compile configure restore.
9780 - Fixup so no non-absolute rpaths are added.
9781 - Fixup validation of RRSIG queries, they are let through.
9782 - read /dev/random before chroot
9783 - checkconf fix no python checks when no python module enabled.
9784 - fix configure, pthread first, so other libs do not change outcome.
9787 - nicer -h output. report linked libraries and modules.
9788 - prints modules in intuitive order (config file friendly).
9789 - python compiles easily on BSD.
9792 - ignore swig varargs warnings with gcc.
9793 - remove duplicate example.conf text from python example configs.
9794 - outofdir compile fix for python.
9795 - pyunbound works.
9796 - print modules compiled in on -h. manpage.
9799 - initial import of the python contribution from Zdenek Vasicek and
9801 - pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
9804 - more neat configure.ac. Removed duplicate config.h includes.
9805 - neater config.h.in.
9806 - iana portlist updated.
9807 - fix util/configlexer.c and solaris -std=c99 flag.
9808 - fix postcommit aclocal errors.
9809 - spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
9810 - swap order of host detect and libtool generation.
9813 - added launchd plist example file for MacOSX to contrib.
9814 - deprecation test for daemon(3).
9815 - moved common configure actions to m4 include, prettier Makefile.
9818 - bug #239: module-config entries order is important. Documented.
9819 - build fix for test asynclook.
9822 - winrc/README.txt dos-format text file.
9823 - iana portlist updated.
9824 - use _beginthreadex() when available (performs stack alignment).
9825 - defaults for windows baked into configure.ac (used if on mingw).
9828 - Added tests, unknown algorithms become insecure. fallback works.
9829 - Fix for and test for unknown algorithms in a trust anchor
9833 - domain-insecure: "example.com" statement added. Sets domain
9835 of a trust-anchor.
9838 - unit test for unsupported algorithm in anchor warning.
9839 - fixed so queries do not fail on opportunistic target queries.
9842 - fixup diff error printout in contrib/update-itar.sh.
9843 - added contrib/unbound_cacti for statistics support in cacti,
9847 - doxygen and lex/yacc on linux.
9848 - strip update-anchor on makedist -w.
9849 - fix testbound on windows.
9850 - default log to syslog for windows.
9851 - uninstaller can stop unbound - changed text on it to reflect that.
9852 - remove debugging from windows 'cron' actions.
9855 - log to App.logs on windows prints executable identity.
9856 - fixup tests.
9857 - munin plugin fix benign locking error printout.
9858 - anchor-update for windows, called every 24 hours; unbound reloads.
9861 - winsock event handler resets WSAevents after signalled.
9862 - winsock event handler tests if signals are really signalled.
9863 - install and service with log to file works on XP and Vista on
9865 - on windows logging to the Application logbook works (as a service).
9866 - fix RUN_DIR on windows compile setting in makedist.
9867 - windows registry has Software\Unbound\ConfigFile element.
9868 If does not exist, the default is used. The -c switch overrides it.
9869 - fix makedist version cleanup function.
9872 - makedist -w strips out old rc.. and snapshot info from version.
9873 - setup.exe starts and stops unbound after install, before uninstall.
9874 - unbound-checkconf recognizes absolute pathnames on windows (C:...).
9877 - Nullsoft NSIS installer creation script.
9880 - fixup memory leak introduced on 18feb in mesh reentrant fix.
9883 - combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
9884 - service works on xp/vista, no config necessary (using defaults).
9885 - windows registry settings.
9888 - fixup --export-symbols to be -export-symbls for libtool.
9891 - iana portlist updated.
9892 - document FAQ entry on stub/forward zones and default blocking.
9893 - fix asynclook test app for libunbound not exporting symbols.
9894 - service install and remove utils that work with vista UAC.
9897 - Fixup lexer, to not give warnings about fwrite. Appeared in
9899 - makedistro functionality for mingw. Has RC support.
9900 - support spaces and backslashes in configured defaults paths.
9901 - register, deregister in service control manager.
9904 - windres usage for application resources.
9907 - isc moved their dlv key download location.
9908 - fixup warning on vista/mingw.
9909 - makedist -w for window zip distribution first version.
9912 - Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
9913 Nicer script layout. Added url to site in -h output.
9916 - unbound-checkconf and unbound print warnings when trust anchors
9918 - added contrib/update-itar.sh This script is similar to
9919 update-anchor.sh, and updates from the IANA ITAR repository.
9922 - iana portlist updated.
9923 - update-itar.sh: using ftp:// urls because https godaddy certificate
9928 - more cycle detection. Also for target queries.
9929 - fixup bug where during deletion of the mesh queries the callbacks
9933 - iana portlist updated.
9936 - forwarder information now per-thread duplicated.
9938 - forward command for unbound control to change forwarders to use
9940 - document that unbound-host reads no config file by default.
9941 - updated iana portlist.
9944 - call setusercontext if available (on BSD).
9945 - small refactor of stats clearing.
9946 - #227: flush_stats feature for unbound-control.
9947 - stats_noreset feature for unbound-control.
9948 - flush_requestlist feature for unbound-control.
9949 - libunbound version upped API (was changed 5 feb).
9950 - unbound-control status shows if root forwarding is in use.
9951 - slightly nicer memory management in iter-fwd code.
9954 - keys with rfc5011 REVOKE flag are skipped and not considered when
9956 - iana portlist updated
9957 - #226: dump_requestlist feature for unbound-control.
9960 - contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
9961 - iana portlist updated.
9962 - fixup EOL in include directive (reported by Paul Wouters).
9964 - config parser changed. Gives some syntax errors closer to where they
9967 - verbosity level 5 logs customer IP for new requestlist entries.
9968 - test fix, lexer and cancel test.
9969 - new option log-time-ascii: yes if you enable it prints timestamps
9971 - detect event_base_new in libevent-1.4.1 and later and use it.
9972 - #231 unbound-checkconf -o option prints that value from config file.
9976 - ldns 1.5.0 rc as tarball included.
9977 - 1.3.0 development continues:
9985 - MacOSX Leopard cleaner text output from configure.
9986 - initgroups(3) is called to drop secondary group permissions, if
9988 - configure option --with-ldns-builtin forces the use of the
9989 inluded ldns package with the unbound source. The -I include
9992 - daemon(3) posix call is used when available.
9993 - testbound test for older fix added.
9996 - tag for release 1.2.1.
9997 - trunk setup for 1.3.0 development.
10000 - noted feature requests in doc/TODO.
10001 - printout more detailed errors on ssl certificate loading failures.
10002 - updated IANA portlist.
10005 - more quiet about ipv6 network failures, i.e. when ipv6 is not
10008 - unbound-host -4 and -6 options. Stops annoying ipv6 errors when
10009 debugging with unbound-host -4 -d ...
10010 - more cycle detection for NS-check, addr-check, root-prime and
10011 stub-prime queries in the iterator. Avoids possible deadlock
10015 - bug #229: fixup configure checks for compilation with Solaris
10017 - fixup suncc warnings.
10018 - fix bug where unbound could crash using libevent 1.3 and older.
10019 - update testset for recent retry change.
10022 - 1.2.1 feature: negative caching for failed queries.
10025 - the TTL comparison for the cache used different comparisons,
10028 - retry from 4 to 5 so that EDNS drop retry is part of the first
10030 - remove debug prints that protect against bad referrals.
10031 - honor QUIET=no on make commandline (or QUIET=yes ).
10034 - fixed bug in lameness marking, removed printouts.
10035 - find NS rrset more cleanly for qtype NS.
10036 - Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
10038 - 1.2.1 feature: stops resolving AAAAs promiscuously when they
10042 - fixed bug in infrastructure lameness cache, did not lowercase
10044 - lameness debugging printouts.
10047 - created svn tag for 1.2.0 release.
10048 - svn trunk contains 1.2.1 version number.
10049 - iana portlist updated for todays list.
10050 - removed debug print.
10053 - new version of ldns-trunk (today) included as tarball, fixed
10054 bug #224, building with -j race condition.
10055 - remove possible race condition in the test for race conditions.
10058 - version 1.2.0 in preparation.
10059 - feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
10061 - typo fix and iana portlist updated.
10062 - porting testsuite; unused var warning, and type fixup.
10065 - fixup packet-of-death when compiled with --enable-debug.
10067 - added test for HINFO canonicalisation behaviour.
10068 - fixup reported problem with transparent local-zone data where
10072 - HINFO no longer downcased for validation, making unbound compatible
10074 - fix reading included config files when chrooted.
10077 - fix libunbound message transport when no packet buffer is available.
10080 - fixup getaddrinfo failure handling for remote control port.
10081 - added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
10082 - fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
10083 - comm_timer_set performs base_set operation after event_add.
10086 - fixed bug reported by Duane Wessels: error in DLV lookup, would make
10088 - follows -rc makedist from ldns changes (no _rc).
10089 - ldns tarball updated with 1.4.1rc for DLV unit test.
10090 - verbose prints about recursion lame detection and server selection.
10091 - fixup BSD port for infra host storage. It hashed wrongly.
10092 - fixup makedist snapshot name generation.
10093 - do not reopen syslog to avoid dev/log dependency.
10096 - follows ldns makedist.sh. -rc option. autom4te dir removed.
10097 - unbound-control status command.
10098 - extended statistics has a number of ipv6 queries counter.
10102 - follow makedist improvements from ldns, for maintainers prereleases.
10103 - snapshot version uses _ not - to help rpm distinguish the
10107 - better fix for bug #219: use LOG_NDELAY with openlog() call.
10111 - bug #221 fixed: unbound checkconf checks if key files exist if
10113 - iana portlist updated.
10116 - Fix problem reported by Jaco Engelbrecht where unbound-control stats
10119 - iana portlist updated.
10120 - test for remote control with interprocess communication.
10121 - created command distribution mechanism so that remote control
10124 - fixup remote control local_data addition memory corruption bug.
10127 - SElinux policy files in contrib/selinux for the unbound daemon,
10131 - configure complains when --without-ssl is given (bug #220).
10132 - skip unsupported feature tests on vista/mingw.
10133 - fixup testcode/streamtcp to work on vista/mingw.
10134 - root-hints test checks version of dig required.
10135 - blacklisted servers are polled at a low rate (1%) to see if they
10139 - document that the user of the server daemon needs read privileges
10140 on the keys and certificates generated by unbound-control-setup.
10143 i.e. sudo -u unbound unbound-control-setup
10144 - testset port to vista/mingw.
10145 - tcp_sigpipe to freebsd port.
10148 - fixed tcp accept, errors were printed when they should not.
10149 - unbound-control-setup.sh removes read/write permissions other
10153 - fixup fatal error due to faulty error checking after tcp accept.
10154 - add check in rlimit to avoid integer underflow.
10155 - rlimit check with new formula; better estimate for number interfaces
10156 - nicer comments in rlimit check.
10157 - tag 1.1.1 created in svn.
10158 - trunk label is 1.1.2
10161 - bug #219: fixed so that syslog which delays opening until the first
10165 - iana portlist updated.
10166 - removed cast in unit test debug print that was not 64bit safe.
10167 - trunk back to 1.1.0; copied to tags 1.1.0 release.
10168 - trunk to has version number 1.1.1 again.
10169 - in 1.1.1; make clean nicer. grammar in manpage.
10172 - theoretical fix for problems reported on mailing list.
10173 If a delegation point has no A but only AAAA and do-ip6 is no,
10177 - test for above, only AAAA and doip6 is no. Fix causes A record
10179 - fixup address duplication on cache fillup for delegation points.
10180 - testset updated for new query answer requirements.
10183 - created 1.1.0 release tag in svn.
10184 - trunk moved to 1.1.1
10185 - fixup unittest-neg for locking.
10188 - added fedora init and specfile to contrib (by Paul Wouters).
10189 - added configure check for ldns 1.4.0 (using its compat funcs).
10190 - neater comments in worker.h.
10191 - removed doc/plan and updated doc/TODO.
10192 - silenced EHOSTDOWN (verbosity 2 or higher to see it).
10193 - review comments from Jelte, Matthijs. Neater code.
10196 - add unbound-control manpage to makedist replace list.
10199 - unit test for negative cache, stress tests the refcounting.
10200 - fix for refcounting error that could cause fptr_wlist fatal exit
10203 - nicer comments in cachedump about failed RR to string conversion.
10204 - fix 32bit wrap around when printing large (4G and more) mem usage
10208 - fixup the getaddrinfo compat code rename.
10211 - added configure check for eee build warning.
10214 - fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
10215 - detect nonblocking problems in network stack in configure script.
10218 - dname_priv must decompress the name before comparison.
10219 - iana portlist updated.
10222 - fixed possible memory leak in key_entry_key deletion.
10224 - if query and reply qname overlap, the bytes are skipped not copied.
10225 - fixed file descriptor leak when messages were jostled out that
10227 - DNAMEs used from cache have their synthesized CNAMEs initialized
10229 - fixed file descriptor leak for localzone type deny (for TCP).
10230 - fixed memleak at exit for nsec3 negative cached zones.
10231 - fixed memleak for the keyword 'nodefault' when reading config.
10232 - made verbosity of 'edns incapable peer' warning higher, so you
10234 - caught elusive Bad file descriptor error bug, that would print the
10238 - fixed -Wwrite-strings warnings that result in better code.
10241 - fixup build process for Mac OSX linker, use ldns b32 compat funcs.
10242 - generated configure with autoconf-2.61.
10243 - iana portlist updated.
10244 - detect if libssl needs libdl. For static linking with libssl.
10245 - changed to use new algorithm identifiers for sha256/sha512
10247 - updated the included ldns tarball.
10248 - proper detection of SHA256 and SHA512 functions (not just sizes).
10251 - a little more debug info for failure on signer names. prints names.
10254 - CFLAGS are picked up by configure from the environment.
10255 - iana portlist updated.
10256 - updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
10257 - new stub-prime: yesno option. Default is off, so it does not prime.
10259 - made automated test that checks if builtin root hints are uptodate.
10260 - finished draft-wijngaards-dnsext-resolver-side-mitigation
10261 implementation. The unwanted-reply-threshold can be set.
10262 - fixup so fptr_whitelist test in alloc.c works.
10265 - fix update-anchors.sh, so it does not report different RR order
10267 - fixup testbound on windows, the command control pipe doesn't exist.
10268 - skip 08hostlib test on windows, no fork() available.
10269 - made unbound-remote work on windows.
10272 - quench a log message that is debug only.
10273 - iana portlist updated.
10274 - do not query bogus nameservers. It is like nameservers that have
10276 - if server selection is faced with only bad choices, it will
10278 - changed bogus-ttl default value from 900 to 60 seconds.
10287 - fixup unbound-control compilation on windows.
10290 - port Leopard/G5: fixup type conversion size_t/uint32.
10292 - harden referral path now also validates the root after priming.
10297 - Fixup negative TTL values appearing (reported by Attila Nagy).
10300 - better documentation for 0x20; remove fallback TODO, it is done.
10301 - harden-referral-path feature includes A, AAAA queries for glue,
10303 A, AAAA use the delegation from the NS-query.
10306 - fwd_three.tpkg test was flaky. If the three requests hit the
10309 - stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
10310 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
10312 - fwd_three test remains flaky now that unbound does not stop
10315 Mostly only useful for lock-check testing now.
10318 - fixed recursion servers deployed as authoritative detection, so
10321 - iana port list update.
10322 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
10325 - fixup tests - the negative cache contained the correct NSEC3s for
10329 - negative cache caps max iterations of NSEC3 done.
10330 - NSEC3 negative cache for qtype DS works.
10333 - NSEC negative cache for DS.
10336 - jostle-timeout option, so you can config for slow links.
10337 - 0x20 fallback code. Tries 3xnumber of nameserver addresses
10339 - documented choices for DoS, EDNS, 0x20.
10342 - fixup unlink of pidfile.
10343 - fixup SHA256 algorithm collation code.
10344 - contrib/update-anchor.sh does not overwrite anchors if not needed.
10346 so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
10350 - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
10351 - tests for sha256 support and downgrade resistance.
10352 - RSASHA256 and RSASHA512 support (using the draft in dnsext),
10354 - when using stub on localhost (127.0.0.1@10053) unbound works.
10357 - shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com"
10360 - EDNS lameness detection, if EDNS packets are dropped this is
10362 - multiple query timeout rtt backoff does not backoff too much.
10365 - tests for remote-control.
10366 - small memory leak in exception during remote control fixed.
10367 - fixup for lock checking but not unchecking in remote control.
10368 - iana portlist updated.
10371 - Msg cache is loaded. A cache load enables cache responses.
10372 - unbound-control flush [name], flush_type and flush_zone.
10375 - dump_cache and load_cache statements in unbound-control.
10380 - locking on the localdata structure.
10381 - add and remove local zone and data with unbound-control.
10382 - ldns trunk snapshot updated, make tests work again.
10385 - fixup error in time calculation.
10386 - munin plugin improvements.
10387 - nicer abbreviations for high query types values (ixfr, axfr, any...)
10388 - documented the statistics output in unbound-control man page.
10389 - extended statistics prints out histogram, over unbound-control.
10392 - locking for threadsafe bogus rrset counter.
10393 - ldns trunk no longer exports b32 functions, provide compat.
10394 - ldns tarball updated.
10395 - testcode/ldns-testpkts.c const fixups.
10396 - fixed rcode stat printout.
10397 - munin plugin in contrib.
10398 - stats always printout uptime, because stats plugins need it.
10401 - extended-statistics: yesno config option.
10402 - unwanted replies spoof nearmiss detector.
10403 - iana portlist updated.
10406 - working start, stop, reload commands for unbound-control.
10407 - test for unbound-control working; better exit value for control.
10408 - verbosity control via unbound-control.
10409 - unbound-control stats.
10412 - removed browser control mentions. Proto speccy.
10415 - set nonblocking on new TCP streams, because linux does not inherit
10417 - fix TCP timeouts.
10418 - SSL protected connection between server and unbound-control.
10421 - remove memleak in privacy addresses on reloads and quits.
10422 - remote control work.
10425 - smallapp/unbound-control-setup.sh script to set up certificates.
10428 - scrubber scrubs away private addresses.
10429 - test for private addresses. man page entry.
10430 - code refactored for name and address tree lookups.
10433 - options for 'DNS Rebinding' protection: private-address and
10434 private-domain.
10435 - dnstree for reuse of routines that help with domain, addr lookups.
10436 - private-address and private-domain config option read, stored.
10439 - DoS protection features. Queries are jostled out to make room.
10440 - testbound can pass time, increasing the internal timer.
10441 - do not mark unsigned additionals bogus, leave unchecked, which
10445 - disallow nonrecursive queries for cache snooping by default.
10446 You can allow is using access-control: <subnet> allow_snoop.
10448 - two tests for it and fixups of tests for nonrec refused.
10451 - version 1.1 number in trunk.
10452 - harden-referral-path option for query for NS records.
10456 - fixup logfile handling; it is created with correct permissions
10459 and these are only visible by using the -d commandline flag.
10462 - daemon(3) is causing problems for people. Reverting the patch.
10464 - bug#199 fixed: pidfile can be outside chroot. openlog is done before
10466 - config option to set size of aggressive negative cache,
10467 neg-cache-size.
10468 - bug#203 fixed: dlv has been implemented.
10471 - test for insecure zone when DLV is in use, also does negative cache.
10472 - test for trustanchor when DLV is in use (the anchor works).
10473 - test for DLV used for a zone below a trustanchor.
10474 - added scrub filter for overreaching NSEC records and unit test.
10475 - iana portlist update
10476 - use of setresuid or setreuid when available.
10477 - use daemon(3) if available.
10480 - realclean patch from Robert Edmonds.
10483 - nicer debuglogging of DLV.
10484 - test with secure delegation inside the DLV repository.
10487 - negative cache code linked into validator, for DLV use.
10489 - iana portlist update.
10490 - dlv-anchor option for unit tests.
10491 - fixup NSEC_AT_APEX classification for short typemaps.
10492 - ldns-testns has subdomain checks, for unit tests.
10495 - negative cache code, reviewed.
10498 - changes info: in logfile to notice: info: or debug: depending on
10501 - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
10504 - DLV nsec code fixed for better detection of closest existing
10506 - DLV works, straight to the dlv repository, so not for production.
10507 - Iana port update.
10510 - synthesize DLV messages from the rrset cache, like done for DS.
10513 - bug #203: nicer do-auto log message when user sets incompatible
10515 - bug #204: variable name ameliorated in log.c.
10516 - bug #206: in iana_update, no egrep, but awk use.
10517 - ldns snapshot r2699 taken (includes DLV type).
10518 - DLV work, config file element, trust anchor read in.
10521 - finished adjusting testset to provide qtype NS answers.
10524 - Fixup rrset security updates overwriting 2181 trust status.
10527 - Fix assertion fail on bogus key handling.
10528 - dnssec lameness detection works on first query at trust apex.
10529 - NS queries get proper cache and dnssec lameness treatment.
10530 - fixup compilation without pthreads on linux.
10533 - NS queries are done after every referral.
10537 - Scrubber more strict. CNAME chains, DNAMEs from cache, other
10539 - 1.0.2 released from 1.0 support branch.
10540 - fixup update-anchor.sh to work both in BSD shell and bash.
10543 - fixup DS test so apex nodata works again.
10546 - iana port update.
10547 - TODO update.
10548 - fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
10549 - added explanatory text for outgoing-port-permit in manpage.
10552 - fixup bug qtype DS for unsigned zone and signed parent validation.
10555 - added original copyright statement of OpenBSD arc4random code.
10556 - created tube signaling solution on windows, as a pipe replacement.
10558 - removed very insecure socketpair compat code. It also did not
10560 - unbound -h prints openssl version number as well.
10563 - moved pipe actions to util/tube.c. easier porting and shared code.
10564 - check _raw() commpoint callbacks with fptr_wlist.
10565 - iana port update.
10568 - #198: nicer entropy warning message. manpage OS hints.
10571 - #198: fixup man page to suggest chroot entropy fix.
10574 - branch for 1.0 support.
10575 - trunk work on tube.c.
10578 - fix bug #196, compile outside source tree.
10579 - fix bug #195, add --with-username=user configure option.
10580 - print error and exit if started with config that requires more
10584 - made svn tag 1.0.1, trunk now 1.0.2
10585 - sha256 checksums enabled in makedist.sh
10588 - Follow draft-ietf-dnsop-default-local-zones-06 added reverse
10590 - fixup lookup of DS records by client with trustanchor for same.
10591 - libunbound ub_resolve, fix handling of error condition during setup.
10592 - lowered log_hex blocksize to fit through BSD syslog linesize.
10593 - no useless initialisation if getpwnam not available.
10594 - iana, ldns snapshot updated.
10597 - Matthijs fixed memory leaks in root hints file reading.
10600 - fixup streamtcp bounds setting for udp mode, in the test framework.
10601 - contrib item for updating trust anchors.
10604 - fixup fwd_ancil test typos.
10605 - Fix for newegg lameness : ok for qtype=A, but lame for others.
10606 - fixup unit test for infra cache, test lame merging.
10607 - porting to mingw, bind, listen, getsockopt and setsockopt error
10611 - removed testcode/checklocks from production code compilation path.
10612 - streamtcp can use UDP mode (connected UDP socket), for testing IPv6
10614 - fwd_ancil test fails if platform support is lacking.
10617 - fixup minitpkg to cleanup on windows with its file locking troubles.
10618 - minitpkg shows skipped tests in report.
10619 - skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
10621 - winsock event handler keeps track of sticky TCP events, that have
10624 - skip tests that need signals when testing on mingw.
10627 - open testbound replay files in binary mode, because fseek/ftell
10628 do not work in ascii-mode on windows. The b does nothing on unix.
10630 - ioctlsocket prints nicer error message.
10631 - fixed up some TCP porting for winsock.
10632 - lack of IPv6 gives a warning, no fatal error.
10633 - use WSAGetLastError() on windows instead of errno for some errors.
10636 - outgoing num fds 32 by default on windows ; it supports less
10638 - winsock_event minievent handler for windows. (you could also
10640 - neater crypto check and gdi32 detection.
10641 - unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
10644 - on windows, use windows threads, mutex and thread-local-storage(Tls).
10645 - detect if openssl needs gdi32.
10646 - if no threading, THREADS_DISABLED is defined for use in the code.
10647 - sets USE_WINSOCK if using ws2_32 on windows.
10648 - wsa_strerror() function for more readable errors.
10649 - WSA Startup and Cleanup called in unbound.exe.
10652 - port mingw32, more signal ifdefs, detect sleep, usleep,
10654 - signed or unsigned FD_SET is cast.
10657 - fixup warnings compiling on eeepc xandros linux.
10660 - in iteration response type code
10663 * check if no AA bit for non-forwarder, and thus lame zone.
10665 - fixup unput warning from lexer on freeBSD.
10666 - bug#183. pidfile, rundir, and chroot configure options. Also the
10669 --with-conf-file=filename
10670 --with-pidfile=filename
10671 --with-run-dir=path
10672 --with-chroot-dir=path
10675 - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
10677 - iana port updated.
10680 - updated libtool files with newer version.
10681 - iana portlist updated.
10684 - fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
10688 - Jelte fixed bugs in my absence
10689 - bug 178: fixed unportable shell usage in configure (relied on
10691 - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
10692 - bug 181: fixed buffer overflow in ldns (called by unbound to parse
10694 - fixes by Wouter
10695 - bug 177: fixed compilation failure on opensuse, the
10696 --disable-static configure flag caused problems. (Patch from
10698 - bug 179: same fix as 177.
10699 - bug 185: --disable-shared not passed along to ldns included with
10705 - update of the ldns tarball to current ldns svn version (fix 181).
10706 - bug 184: -r option for unbound-host, read resolv.conf for
10711 - mingw32 porting.
10712 - test for sys/wait.h
10713 - WSAEWOULDBLOCK test after nonblocking TCP connect.
10714 - write_iov_buffer removed: unused and no struct iov on windows.
10715 - signed/unsigned warning fixup mini_event.
10716 - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
10717 - skip signals that are not defined
10718 - detect pwd.h.
10719 - detect getpwnam, getrlimit, setsid, sbrk, chroot.
10720 - default config has no chroot if chroot() unavailable.
10721 - if no kill() then no pidfile is read or written.
10722 - gmtime_r is replaced by nonthreadsafe alternative if unavail.
10726 - contrib unbound.spec from Patrick Vande Walle.
10727 - fixup bug#175: call tzset before chroot to have correct timestamps
10729 - do not generate lex input and lex unput functions.
10730 - mingw port. replacement functions labelled _unbound.
10731 - fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
10734 - fedora 9, check in6_pktinfo define in configure.
10735 - CREDITS fixup of history.
10736 - ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
10739 - fixup for MacOSX hosts file reading (reported by John Dickinson).
10740 - created 1.0.0 svn tag.
10741 - trunk version 1.0.1.
10744 - accepted patch from Ondrej Sury for library version libtool option.
10745 - configure --disable-rpath fixes up libtool for rpath trouble.
10749 - Added root ipv6 addresses to builtin root hints.
10750 - TODO modified for post 1.0 plans.
10751 - trunk version set to 1.0.0.
10752 - no unnecessary linking with librt (only when libevent/libev used).
10755 - fixup no-ip4 problem with error callback in outside network.
10758 - DESTDIR is honored by the Makefile for rpms.
10759 - contrib files unbound.spec and unbound.init, builds working RPM
10761 - iana ports update.
10764 - chroot checks improved. working directory relative to chroot.
10766 - nicer example.conf text.
10767 - created 0.11 tag.
10770 - parseunbound.pl contrib update from Kai Storbeck for threads.
10771 - iana ports update
10774 - ignore SIGPIPE.
10775 - unit test for SIGPIPE ignore.
10778 - FEATURES document.
10779 - fixup reread of config file if it was given as a full path
10783 - requirements doc, updated clean query returns.
10784 - parseunbound.pl update from Kai Storbeck.
10785 - sunos4 porting changes.
10788 - fixup default rc.d pidfile location to /usr/local/etc.
10789 - iana ports updated.
10790 - copyright updated in ldns-testpkts to keep same as in ldns.
10791 - fixup checkconf chroot tests a bit more, chdir must be inside
10793 - documented 'gcc: unrecognized -KPIC option' errors on Solaris.
10794 - example.conf values changed to /usr/local/etc/unbound
10795 - DSA test work.
10796 - DSA signatures: unbound is compatible with both encodings found.
10800 - got update for parseunbound.pl statistics script from Kai Storbeck.
10801 - tpkg tests for udp wait list.
10802 - documented 0x20 status.
10803 - fixup chroot and checkconf, it is much smarter now.
10804 - fixup DSA EVP signature decoding. Solution that Jelte found copied.
10805 - and check first sig byte for the encoding type.
10808 - random port selection out of the configged ports.
10809 - fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
10810 - removed base_port.
10811 - created 256-port ephemeral space for the OS, 59802 available.
10812 - fixup consistency of port_if out array during heavy use.
10815 - --with-libevent works with latest libevent 1.4.99-trunk.
10816 - added log file statistics perl script to contrib.
10817 - automatic iana ports update from makefile. 60058 available.
10820 - configure can detect libev(from its build directory) when passed
10821 --with-libevent=/home/wouter/libev-3.2
10822 libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
10823 - unused commpoints not listed in epoll list.
10824 - statistics-cumulative option so that the values are not reset.
10825 - config creates array of available ports, 61841 available,
10830 - unbound tries to set the ulimit fds when started as server.
10834 - documented /dev/random symlink from chrootdir as FAQ entry.
10837 - implemented AD bit signaling. If a query sets AD bit (but not DO)
10840 path from the client to the resolver. Follows dnssec-updates draft.
10843 - implemented check that for NXDOMAIN and NOERROR answers a query
10851 - RTT banding. Band size 400 msec, this makes band around zero (fast)
10855 - -C config feature for harvest program.
10856 - harvest handles CNAMEs too.
10859 - patch from Hugo Koji Kobayashi for iterator logs spelling.
10862 - From report by Jinmei Tatuya, rfc2181 trust value for remainder
10864 - test for this fix.
10865 - default config file location is /usr/local/etc/unbound.
10870 - Create 0.10 svn tag.
10871 - 0.11 version in trunk.
10872 - indentation nicer.
10875 - documentation update.
10876 - fixup port to Solaris of perf test tool.
10877 - updated ldns-tarball with decl-after-statement fixes.
10880 - fixed memory leaks in libunbound (during cancellation and wait).
10881 - libunbound returns the answer packet in full.
10882 - snprintf compat update.
10883 - harvest performs lookup.
10884 - ldns-tarball update with fix for ldns_dname_label.
10885 - installs to sbin by default.
10886 - install all manual pages (unbound-host and libunbound too).
10889 - option to use caps for id randomness.
10890 - config file option use-caps-for-id: yes
10891 - harvest debug tool
10894 - delay utility delays TCP as well. If the server that is forwarded
10896 - delay does REUSE_ADDR, and can handle a server that closes its end.
10897 - answers use casing from query.
10900 - delay utility works. Gets decent thoughput too (>20000).
10903 - +2% for recursions, if identical queries (except for destination
10904 and query ID) in the reply list, avoid re-encoding the answer.
10905 - removed TODO items for optimizations that do not show up in
10907 - default is now minievent - not libevent. As its faster and
10909 - loop check different speedup pkt-dname-reading, 1% faster for
10910 nocache-recursion check.
10911 - less hashing during msg parse, 4% for recursion.
10912 - small speed fix for dname_count_size_labels, +1 or +2% recursion.
10913 - some speed results noted:
10921 - delay utility for testing.
10924 - speedup of root-delegation message encoding by 15%.
10925 - minor speedup of compress tree_lookup, maybe 1%.
10926 - speedup of dname_lab_cmp and memlowercmp - the top functions in
10930 - setup speec_cache for need-ldns-testns in dotests.
10931 - check number of queued replies on incoming queries to avoid overload
10933 - fptr whitelist checks are not disabled in optimize mode.
10934 - do-daemonize config file option.
10935 - minievent time share initializes time at start.
10936 - updated testdata for nsec3 new algorithm numbers (6, 7).
10937 - small performance test of packet encoding (root delegation).
10940 - applied patch to unbound-host man page from Jan-Piet Mens.
10941 - fix donotquery-localhost: yes default (it erroneously was switched
10943 - time is only gotten once and the value is shared across unbound.
10944 - unittest cleans up crypto, so that it has no memory leaks.
10945 - mini_event shares the time value with unbound this results in
10947 - ldns tarball update with new NSEC3 sign code numbers.
10948 - perform several reads per UDP operation. This improves performance
10951 - modified asynclook test. because the callback from async is not
10962 - patch to unbound-host from Jan-Piet Mens.
10963 - unbound host prints errors if fails to configure context.
10964 - fixup perf to resend faster, so that long waiting requests do
10968 - fixup iterator operating in no cache conditions (RD flag unset
10970 - streamlined code for RD flag setting.
10971 - profiled code and changed dname compares to be faster.
10973 - minievent tests for eintr and eagain.
10976 - added FreeBSD rc.d script to contrib.
10977 - --prefix option for configure also changes directory: pidfile:
10979 - added cache speed test, for cache size OK and cache too small.
10982 - start without a config file (will complain, but start with
10984 - perf test program works.
10987 - 0.9 released.
10988 - 1.0 development. Printout ldns version on unbound -h.
10989 - start of perf tool.
10990 - bugfix to read empty lines from /etc/hosts.
10993 - fixup problem with configure calling itself if ldns-src tarball
10997 - changed library to use ub_ instead of ub_val_ as prefix.
10998 - statistics output text nice.
10999 - etc/hosts handling.
11000 - library function to put logging to a stream.
11001 - set any option interface.
11004 - test program for multiple queries over a TCP channel.
11005 - tpkg test for stream tcp queries.
11006 - unbound replies to multiple TCP queries on a TCP channel.
11007 - fixup misclassification of root referral with NS in answer
11009 - tag 0.9
11010 - layout of manpages, spelling fix in header, manpages process by
11011 makedist, list asynclook and tcpstream tests as ldns-testns
11015 - moved up all current level 2 to be level 3. And 3 to 4.
11018 - verbosity level 2. Describes recursion and validation.
11019 - cleaner configure script and fixes for libevent solaris.
11020 - signedness for log output memory sizes in high verbosity.
11023 - clearer explanation of threading configure options.
11024 - fixup asynclook test for nothreading (it creates only one process
11026 - changed name of ub_val_result_free to ub_val_resolve_free.
11027 - removes warning message during library linking, renamed
11028 libunbound/unbound.c -> libunbound.c and worker to libworker.
11029 - fallback without EDNS if result is NOTIMPL as well as on FORMERR.
11032 - statistics-interval: seconds option added.
11033 - test for statistics option
11034 - ignore errors making directories, these can occur in parallel builds
11035 - fixup Makefile strip command and libunbound docs typo.
11038 - bg thread/process reads and writes the pipe nonblocking all the time
11043 - check trailing / on chrootdir in checkconf.
11044 - check if root hints and anchor files are in chrootdir.
11045 - no route to host tcp error is verbosity level 2.
11046 - removed unused send_reply_iov. and its configure check.
11047 - added prints of 'remote address is 1.2.3.4 port 53' to errors
11051 - fixup uninit use of buffer by libunbound (query id, flags) for
11053 - fixup uninit warning from random.c; also seems to fix sporadic
11055 - made openssl entropy warning more silent for library use. Needs
11057 - fixup forgotten locks for rbtree_searches on ctx->query tree.
11058 - random generator cleanup - RND_STATE_SIZE removed, and instead
11059 a super-rnd can be passed at init to chain init random states.
11060 - test also does lock checks if available.
11061 - protect config access in libworker_setup().
11062 - libevent doesn't like comm_base_exit outside of runloop.
11063 - close fds after removing commpoints only (for epoll, kqueue).
11066 - added tpkg for asynclook and library use.
11067 - allows localhost to be queried when as a library.
11068 - fixup race condition between cancel and answer (in case of
11070 - please doxygen, put doxygen comment in one place.
11071 - asynclook -b blocking mode and test.
11072 - refactor asynclook, nicer code.
11073 - fixup race problems from opensll in rand init from library, with
11075 - fix pass async_id=NULL to _async resolve().
11076 - rewrote _wait() routine, so that it is threadsafe.
11077 - cancelation is threadsafe.
11078 - asynclook extended test in tpkg.
11079 - fixed two races where forked bg process waits for (somehow shared?)
11084 - tested the cancel() function.
11085 - asynclook -c (cancel) feature.
11086 - fix fail to allocate context actions.
11087 - make pipe nonblocking at start.
11088 - update plane for retry mode with caution to limit bandwidth.
11089 - fix Makefile for concurrent make of unbound-host.
11090 - renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
11091 - new calls to set forwarding added to header and docs.
11094 - removed debug prints from if-auto, verb-algo enables some.
11095 - libunbound QUIT setup, remove memory leaks, when using threads
11101 - library code for async in libunbound/unbound.c.
11102 - fix link testbound.
11103 - fixup exit bug in mini_event.
11104 - background worker query enter and result functions.
11105 - bg query test application asynclook, it looks up multiple
11109 - libworker work, netevent raw commpoints, write_msg, serialize.
11112 - touch up of manpage for libunbound.
11113 - support for IP_RECVDSTADDR (for *BSD ip4).
11114 - fix for BSD, do not use ip4to6 mapping, make two sockets, once
11116 - goodbye ip4to6 mapping.
11117 - update ldns-testpkts with latest version from ldns-trunk.
11118 - updated makedist for relative ldns pathnames.
11119 - library API with more information inside the result structure.
11120 - work on background resolves.
11123 - fixup configure in case -lldns is installed.
11124 - fixup a couple of doxygen warnings, about enum variables.
11125 - interface-automatic now copies the interface address from the
11127 - manual page with library API, all on one page 'man libunbound'.
11128 - rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
11131 - incoming queries to the server with TC bit on are replied FORMERR.
11132 - interface-automatic replied the wrong source address on localhost
11134 to use ifnum=-1 to mean 'no interface, use kernel route'.
11137 - interface-automatic feature. experimental. Nice for anycast.
11138 - tpkg test for ip6 ancillary data.
11139 - removed debug prints.
11140 - porting experience, define for Solaris, test refined for BSD
11142 - makedist fixup for ldns-src in build-dir.
11145 - in no debug sets NDEBUG to remove asserts.
11146 - configure --enable-debug is needed for dependency generation
11148 - ldns.tgz updated with ldns-trunk (where buffer.h is updated).
11149 - fix lint, unit test in optimize mode.
11150 - default access control allows ::ffff:127.0.0.1 v6mapped localhost.
11153 - man page, warning removed.
11154 - added text describing the use of stub zones for private zones.
11155 - checkconf tests for bad hostnames (IP address), and for doubled
11157 - memory sizes can be given with 'k', 'Kb', or M or G appended.
11160 - typo in example.conf.
11161 - made using ldns-src that is included the package more portable
11163 - nicer do-ip6: yes/no documentation.
11164 - nicer linking of libevent .o files.
11165 - man pages render correctly on solaris.
11168 - fixup openssl RAND problem, when the system is not configured to
11172 - print median and quartiles with extensive logging.
11175 - document misconfiguration in private network.
11178 - fixup typo in requirements.
11179 - document that 'refused' is a better choice than 'drop' for
11183 - unbound-host has a -d option to show what happens. This can help
11185 - fixup CNAME handling, on nodata, sets and display canonname.
11186 - dot removed from CNAME display.
11187 - respect -v for NXDOMAINs.
11188 - updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
11189 - size_t to int for portability of the header file.
11190 - fixup bogus handling.
11191 - dependencies and lint for unbound-host.
11194 - library resolution works in foreground mode, unbound-host app
11196 - unbound-host prints rdata using ldns.
11197 - unbound-host accepts trust anchors, and prints validation
11198 information when you give -v.
11201 - locking in context_new() inside the function.
11202 - setup of libworker.
11205 - minor Makefile fixup.
11206 - moved module-stack code out of daemon/daemon into services/modstack,
11207 preparing for code-reuse.
11208 - move context into own header file.
11209 - context query structure.
11210 - removed unused variable pwd from checkconf.
11211 - removed unused assignment from outside netw.
11212 - check timeval length of string.
11213 - fixup error in val_utils getsigner.
11214 - fixup same (*var) error in netblocktostr.
11215 - fixup memleak on parse error in localzone.
11216 - fixup memleak on packet parse error.
11217 - put ; after union in parser.y.
11218 - small hardening in iter_operate against iq==NULL.
11219 - hardening, if error reply with rcode=0 (noerror) send servfail.
11220 - fixup same (*var) error in find_rrset in msgparse, was harmless.
11221 - check return value of evtimer_add().
11222 - fixup lockorder in lruhash_reclaim(), building up a list of locked
11224 - fptr_wlist for markdelfunc.
11225 - removed is_locked param from lruhash delkeyfunc.
11226 - moved bin_unlock during bin_split purely to please.
11229 - changed checkconf/ to smallapp/ to make room for more support tools.
11230 (such as unbound-host).
11231 - install dirs created with -m 755 because they need to be accessible.
11232 - library extensive featurelist added to TODO.
11233 - please doxygen, lint.
11234 - library test application, with basic functionality.
11235 - fix for building in a subdirectory.
11236 - link lib fix for Leopard.
11239 - makefile that creates libunbound.la, basic file or libunbound.a
11241 - more API setup.
11244 - 0.9 public API start.
11247 - Changeup plan for 0.8 - no complication needed, a simple solution
11249 - you can use single quotes in the config file, so it is possible
11251 - fixup small memory problem in implicit transparent zone creation.
11252 - test for implicit zone creation and multiple RR RRsets local data.
11253 - local-zone nodefault test.
11254 - show testbound testlist on commit.
11255 - iterator normalizer changes CNAME chains ending in NXDOMAIN where
11258 - nicer verbosity: 0 and 1 levels.
11259 - lower nonRDquery chance of eliciting wrongly typed validation
11261 - fix for nonRDquery validation typing; nodata is detected when
11262 SOA record in auth section (all validation-requiring nodata messages
11265 - duplicate checking when adding NSECs for a CNAME, and test.
11266 - created svn tag 0.8, after completing testbed tests.
11269 - per suggestion in rfc2308, replaced default max-ttl value with 1 day.
11270 - set size of msgparse lookup table to 32, from 1024, so that its size
11273 - update of memstats tool to print number of allocation calls.
11278 - noted EDNS in-the-middle dropping trouble as a TODO.
11280 - added all default AS112 zones.
11281 - answers from local zone content.
11285 * empty-nonterminal answer.
11288 - test for correct working of static and transparent and couple
11291 - fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
11294 - local zone internal data setup.
11297 - 0.8 - str2list config support for double string config options.
11298 - local-zone and local-data options, config storage and documentation.
11301 - do not downcase NSEC and RRSIG for verification. Follows
11302 draft-ietf-dnsext-dnssec-bis-updates-06.txt.
11303 - fixup leaking unbound daemons at end of tests.
11304 - README file updated.
11305 - nice libevent not found error.
11306 - README talks about gnu make.
11307 - 0.8: unit test for addr_mask and fixups for it.
11309 - 0.8: access-control config file element.
11311 - 0.8: fixup address reporting from netevent.
11314 - privilege separation is not needed in unbound at this time.
11316 - created beta-0.7 branch for support.
11317 - tagged 0.7 for beta release.
11318 - moved trunk to 0.8 for 0.8(auth features) development.
11319 - 0.8: access control list setup.
11322 - review fixups from Jelte.
11325 - testbed script does not recreate configure, since its in svn now.
11326 - fixup checkconf test so that it does not test
11328 - tag 0.6.
11331 - remove debug print.
11332 - fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
11335 - fixup signal handling where SIGTERM could be ignored if a SIGHUP
11337 - bugreports to unbound-bugs@nlnetlabs.nl
11338 - fixup testbound so it exits cleanly.
11339 - cleanup the caches on a reload, so that rrsetID numbers won't clash.
11342 - took ldns snapshot in repo.
11343 - default config file is /etc/unbound/unbound.conf.
11346 - default listening is not all, but localhost interfaces.
11349 - Fixup chroot and drop user privileges.
11350 - new L root ip address in default hints.
11353 - Fixup of crash on reload, due to anchors in env not NULLed after
11355 - Fixup of chroot call. Happens after privileges are dropped, so
11357 - minor touch up of clear() hashtable function.
11358 - VERB_DETAIL prints out what chdir, username, chroot is being done.
11359 - when id numbers run out, caches are cleared, as in design notes.
11361 - harden-dnssec-stripped: yes is now default. It insists on dnssec
11365 - cache-max-ttl config option.
11366 - building outside sourcedir works again.
11367 - defaults more secure:
11371 - fix horrible oversight in sorting rrset references in a message,
11373 - pidfile: "/etc/unbound/unbound.pid" is now the default.
11374 - tests changed to reflect the updated default.
11375 - created hashtable clear() function that respects locks.
11378 - fixup assertion failure that relied on compressed names to be
11381 - quieter logging at low verbosity level for common tcp messages.
11382 - no greedy TTL update.
11385 - fixup (grand-)parent problem for dnssec-lameness detection.
11386 - fixup tests to do additional section processing for lame replies,
11388 - no longer trust in query section in reply during dnssec lame detect.
11389 - dnssec lameness does not make the server never ever queried, but
11390 non-preferred. If no other servers exist or answer, the dnssec lame
11392 - added test then when trust anchor cannot be primed (nodata), the
11394 - Fixup max queries per thread, any more are dropped.
11397 - added donotquerylocalhost config option. Can be turned off for
11399 - ISO C compat changes.
11400 - detect RA-no-AA lameness, as LAME.
11401 - DNSSEC-lameness detection, as LAME.
11403 - tests for lameness detection.
11404 - added all to make test target; need unbound for fwd tests.
11405 - testbound does not pollute /etc/unbound.
11408 - added configure (and its files) to svn, so that the trunk is easier
11411 - added yacc/lex generated files, util/configlexer.c,
11413 - without lex no attempt to use it.
11414 - unsecure response validation collated into one block.
11415 - remove warning about const cast of cfgfile name.
11416 - outgoing-interfaces can be different from service interfaces.
11417 - ldns-src configure is done during unbound configure and
11418 ldns-src make is done during unbound make, and so inherits the
11420 - nicer error when libevent problem causes instant exit on signal.
11421 - read root hints from a root hint file (like BIND does).
11424 - addresses are logged with errors.
11425 - fixup testcode fake event to remove pending before callback
11427 - tests updated because retries are now in iterator module.
11428 - ldns-testpkts code is checked for differences between unbound
11430 - ldns trunk from today added in svn repo for fallback in case
11433 - ldns-src.tar.gz is used if no ldns is found on the system, and
11435 - start of regional allocator code.
11436 - regional uses less memory and variables, simplified code.
11437 - remove of region-allocator.
11438 - alloc cache keeps a cache of recently released regional blocks,
11440 - make unit test cleanly free memory.
11443 - fixup another cycle detect and ns-addr timeout resolution bug.
11445 when resolving a mandatory-glue nameserver-address for that zone.
11449 - changed random generator from random(3) clone to arc4random wrapped
11452 - fix crash where failure to prime DNSKEY tried to print null pointer
11454 - removed some debug prints, only verb_algo (4) enables them.
11455 - fixup test; new random generator took new paths; such as one
11457 - mark insecure RRs as insecure.
11458 - fixup removal of nonsecure items from the additional.
11459 - reduced timeout values to more realistic, 376 msec (262 msec has
11461 - server selection failover to next server after timeout (376 msec).
11464 - no malloc in log_hex.
11465 - assertions around system calls.
11466 - protect against gethostname without ending zero.
11467 - ntop output is null terminated by unbound.
11468 - pidfile content null termination
11469 - various snprintf use sizeof(stringbuf) instead of fixed constant.
11470 - changed loopdetect % 8 with & 0x7 since % can become negative for
11472 - dname_pkt_copy checks length of result, to protect result buffers.
11475 - remove a size_t underflow from msgreply size func.
11478 - nicer warning.
11479 - fix IP6 TCP, wrong definition check. With test package.
11480 - fixup the fact that the query section was not compressed to,
11483 - more portable ip6 check for sockaddr types.
11486 - --disable-rpath option in configure for 64bit systems with
11490 - fixup tests for no AD bit in non-DO queries.
11491 - test that makes sure AD bit is not set on non-DO query.
11494 - removed logfile open early. It did not have the proper permissions;
11497 - callback checks for event callbacks done from mini_event. Because
11499 libevent the protection does not work on event-callbacks.
11500 - fixup too small reply (did not zero counts).
11501 - fixup reply no longer AD bit when query without DO bit.
11504 - function pointer whitelist.
11507 - overwrite sensitive random seed value after use.
11508 - switch to logfile very soon if not -d (console attached).
11509 - error messages do not reveal the trustanchor contents.
11510 - start work on function pointer whitelists.
11513 - fix for multiple empty nonterminals, after multiple DSes in the
11515 - mesh checks if modules are looping, and stops them.
11516 - refetch with CNAMEd nameserver address regression test added.
11517 - fixup line count bug in testcode, so testbound prints correct line
11519 - unit test for multiple ENT case.
11520 - fix for cname out of validated unsec zone.
11521 - fixup nasty id=0 reuse. Also added assertions to detect its
11525 - skip F77, CXX, objC tests in configure step.
11526 - fixup crash in refetch glue after a CNAME.
11530 - test case for unbound-checkconf, fixed so it also checks the
11534 - SIGHUP will reopen the log file.
11535 - Option to log to syslog.
11536 - please lint, fixup tests (that went to syslog on open, oops).
11537 - config check program.
11540 - tests for NSEC3. Fixup bitmap checks for NSEC3.
11541 - positive ANY response needs to check if wildcard expansion, and
11543 - tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
11545 - create 0.5 release tag.
11548 - do not make test programs by default.
11549 - But 'make test' will perform all of the tests.
11550 - Advertise builtin select libevent alternative when no libevent
11552 - signit can generate NSEC3 hashes, for generating tests.
11553 - multiple nsec3 parameters in message test.
11554 - too high nsec3 iterations becomes insecure test.
11557 - fixup empty_DS_name allocated in wrong region (port DEC Alpha).
11558 - fixup testcode lock safety (port FreeBSD).
11559 - removes subscript has type char warnings (port Solaris 9).
11560 - fixup of field with format type to int (port MacOS/X intel).
11561 - added test for infinite loop case in nonRD answer validation.
11565 proof is possible - the signature has been stripped off.
11568 - fixup and test for NSEC wildcard with empty nonterminals.
11569 - makedist.sh fixup for svn info.
11570 - acl features request in plan.
11571 - improved DS empty nonterminal handling.
11572 - compat with ANS nxdomain for empty nonterminals. Attempts the nodata
11574 - striplab protection in case it becomes -1.
11575 - plans for static and blacklist config.
11578 - comments about non-packed usage.
11579 - plan for overload support in 0.6.
11580 - added testbound tests for a failed resolution from the logs
11582 - fixup so useless delegation points are not returned from the
11584 - fixup NSEC rdata not to be lowercased, bind compat.
11587 - wildcard nsec3 testcases, and fixup to get correct wildcard name.
11588 - validator prints subtype classification for debug.
11591 - NSEC3 hash cache unit test.
11592 - validator nsec3 nameerror test.
11595 - nsec3 nodata proof, nods proof, wildcard proof.
11596 - nsec3 support for cname chain ending in noerror or nodata.
11597 - validator calls nsec3 proof routines if no NSECs prove anything.
11598 - fixup iterator bug where it stored the answer to a cname under
11603 - nsec3 find matching and covering, ce proof, prove namerror msg.
11606 - fixup of manual page warnings, like for NSD bugreport.
11607 - nsec3 work, config, max iterations, filter, and hash cache.
11610 - fixup to find libevent on mac port install.
11611 - fixup size_t vs unsigned portability in validator/sigcrypt.
11612 - please compiler on different platforms, for unreachable code.
11613 - val_nsec3 file.
11614 - pthread_rwlock type is optional, in case of old pthread libs.
11617 - cname, name error validator tests.
11618 - logging of qtype ANY works.
11619 - ANY type answers get RRSIG in answer section of replies (but not
11621 - testbound can replay a TCP query (set MATCH TCP in the QUERY).
11622 - DS and noDS referral validation test.
11623 - if you configure many trust anchors, parent trust anchors can
11625 - not all *.name NSECs are present because a wildcard was matched,
11630 - configure option for memory allocation debugging.
11631 - port configure option for memory allocation to solaris10.
11634 - fixup of Leakage warning when serviced queries processed multiple
11636 - testbound removes config file from /tmp on failed exit.
11637 - fixup for referral cleanup of the additional section.
11638 - tests for cname, referral validation.
11639 - neater testbound tpkg output.
11640 - DNAMEs no longer match their apex when synthesized from the cache.
11641 - find correct signer name for DNAME responses.
11642 - wildcarded DNAME test and fixup code to detect.
11643 - prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
11645 - test for a CNAME to a DNAME to a CNAME to an answer, all from
11650 - Fixed error in iterator that would cause assertion failure in
11654 - timeout on tcp does not lead to spurious leakage detect.
11655 - account memory for name of lame zones, so that memory leakages does
11657 - config setting for lameness cache expressed in bytes, instead of
11659 - tool too summarize allocations per code line.
11662 - can read bind trusted-keys { ... }; files, in a compatibility mode.
11663 - iterator should not detach target queries that it still could need.
11666 - validator nodata, positive, referral tests.
11667 - dname print can print '*' wildcard.
11670 - fixup override date config option.
11671 - config options to control memory usage.
11672 - caught bad free of un-alloced data in worker_send error case.
11673 - memory accounting for key cache (trust anchors and temporary cache).
11674 - memory accounting fixup for outside network tcp pending waits.
11675 - memory accounting fixup for outside network tcp callbacks.
11676 - memory accounting for iterator fixed storage.
11677 - key cache size and slabs config options.
11678 - lib crypto cleanups at exit.
11681 - test tool to sign rrsets for testing validator with.
11682 - added RSA and DSA test keys, public and private pairs, 512 bits.
11683 - default configuration is with validation enabled.
11684 Only a trust-anchor needs to be configured for DNSSEC to work.
11685 - do not convert to DER for DSA signature verification.
11686 - validator replay test file, for a DS to DNSKEY DSA key prime and
11690 - removed double use for udp buffers, that could fail,
11692 - validator validates referral messages, by validating all the rrsets
11696 - enforce that signing is done by a parent domain (or same domain).
11697 - adjust TTL downwards if rrset TTL bigger than signature allows.
11698 - permissive mode feature, sets AD bit for secure, but bogus does
11700 - optimization of rrset verification. rr canonical sorting is reused,
11703 - if the rrset is too big (64k exactly + large owner name) the
11705 - faster verification for large sigsets.
11706 - verb_detail mode reports validation failures, but not the entire
11711 - do not garble the edns if a cache answer fails.
11712 - answer norecursive from cache if possible.
11713 - honor clean_additional setting when returning secure non-recursive
11715 - do not store referral in msg cache for nonRD queries.
11716 - store verification status in the rrset cache to speed up future
11718 - mark rrsets indeterminate and insecure if they are found to be so.
11722 - message is bogus if unsecure authority rrsets are present.
11723 - val-clean-additional option, so you can turn it off.
11724 - move rrset verification out of the specific proof types into one
11726 - fixup cname handling in validator, cname-to-positive and cname-to-
11728 - Do not synthesize DNSKEY and DS responses from the rrset cache if
11731 - more verbose signature date errors (with the date attached).
11732 - increased default infrastructure cache size. It is important for
11737 - CNAME handling - move needs_validation to before val_new().
11738 val_new() setups the chase-reply to be an edited copy of the msg.
11742 - refuse to follow wildcarded DNAMEs when validating.
11746 - bogus TTL.
11747 - review - use val_error().
11750 - ANY response validation.
11751 - store security status in cache.
11752 - check cache security status and either send the query to be
11755 - do not examine security status on an error reply in mesh_done.
11756 - construct DS, DNSKEY messages from rrset cache.
11757 - manual page entry for override-date.
11760 - validate and positive validation, positive wildcard NSEC validation.
11761 - nodata validation, nxdomain validation.
11764 - process DNSKEY response in FINDKEY state.
11767 - work on DS2KE routine.
11768 - val_nsec.c for validator NSEC proofs.
11769 - unit test for NSEC bitmap reading.
11770 - dname iswild and canonical_compare with unit tests.
11773 - DS sig unit test.
11774 - latest release libevent 1.3c and 1.3d have threading fixed.
11775 - key entry fixup data pointer and ttl absolute.
11776 - This makes a key-prime succeed in validator, with DS or DNSKEY as
11777 trust-anchor.
11778 - fixup canonical compare byfield routine, fix bug and also neater.
11779 - fixed iterator response type classification for queries of type
11784 - validator FINDKEY state.
11787 - crypto calls to verify signatures.
11788 - unit test for rrsig verification.
11791 - default outgoing ports changed to avoid port 2049 by default.
11793 - count infra lameness cache in memory size.
11794 - accounting of memory improved
11795 - outbound entries are allocated in the query region they are for.
11796 - extensive debugging for memory allocations.
11797 - --enable-lock-checks can be used to enable lock checking.
11798 - protect undefs in config.h from autoheaders ministrations.
11799 - print all received udp packets. log hex will print on multiple
11801 - fixed error in parser with backwards rrsig references.
11802 - mark cycle targets for iterator did not have CD flag so failed
11806 - fixup makefile, if lexer is missing give nice error and do not
11808 - canonical compare routine updated.
11809 - canonical hinfo compare.
11810 - printout list of the queries that the mesh is working on.
11813 - malloc and free overrides that track total allocation and frees.
11815 - work on canonical sort.
11818 - canonicalization, signature checks
11819 - dname signature label count and unit test.
11820 - added debug heap size print to memory printout.
11821 - typo fixup in worker.c
11822 - -R needed on solaris.
11823 - validator override option for date check testing.
11826 - ldns _raw routines created (in ldns trunk).
11827 - sigcrypt DS digest routines
11828 - val_utils uses sigcrypt to perform signature cryptography.
11829 - sigcrypt keyset processing
11832 - security status type.
11833 - security status is copied when rdata is equal for rrsets.
11834 - rrset id is updated to invalidate all the message cache entries
11836 - val_util work
11837 - val_sigcrypt file for validator signature checks.
11840 - key cache for validator.
11841 - moved isroot and dellabel to own dname routines, with unit test.
11844 - replanning.
11845 - scrubber check section of lame NS set.
11846 - trust anchors can be in config file or read from zone file,
11848 - unit test trust anchor storage.
11849 - trust anchors converted to packed rrsets.
11850 - key entry definition.
11853 - configure change for latest libevent trunk version (needs -lrt).
11854 - query_done and walk_supers are moved out of module interface.
11855 - fixup delegation point duplicates.
11856 - fixup iterator scrubber; lame NS set is let through the scrubber
11858 - validator module exists, and does nothing but pass through,
11860 - validator work.
11863 - set version to 0.5
11864 - module work for module to module interconnections.
11865 - config of modules.
11866 - detect cycle takes flags.
11869 - updated plan
11870 - release 0.4 tag.
11873 - changed random state init, so that sequential process IDs are not
11874 cancelled out by sequential thread-ids in the random number seed.
11875 - the fwd_three test, which sends three queries to unbound, and
11876 unbound is kept waiting by ldns-testns for 3 seconds, failed
11882 - removed useless -C debug option. It did not work.
11883 - text edit of documentation.
11884 - added doc/CREDITS file, referred to by the manpages.
11885 - updated planning.
11888 - cycle detection, for query state dependencies. Will attempt to
11890 - unit test for AXFR, IXFR response.
11891 - test for cycle detection.
11894 - testbound read ADDRESS and check it.
11895 - test for version.bind and friends.
11896 - test for iterator chaining through several referrals.
11897 - test and fixup for refetch for glue. Refetch fails if glue
11901 - Example section in config manual.
11902 - Addr stored for range and moment in replay.
11905 - Check CNAME chain before returning cache entry with CNAMEs.
11906 - Option harden-glue, default is on. It will discard out of zone
11911 - if glue times out, refetch by asking parent of delegation again.
11913 - TODO items from forgery-resilience draft.
11915 - renamed module_event_timeout to module_event_noreply.
11916 - memory reporting code; reports on memory usage after handling
11920 - shuffle NS selection when getting nameserver target addresses.
11921 - fixup of deadlock warnings, yield cpu in checklock code so that
11923 - added identity and version config options and replies.
11924 - store cname messages complete answers.
11927 - do not query addresses, 127.0.0.1, and ::1 by default.
11930 - forward zone options in config file.
11931 - forward per zone in iterator. takes precedence over stubs.
11932 - fixup commithooks.
11933 - removed forward-to and forward-to-port features, subsumed by
11935 - fix parser to handle absent server: clause.
11936 - change untrusted rrset test to account for scrubber that is now
11938 - feature, addresses can be specified with @portnumber, like nsd.conf.
11939 - test config files changed over to new forwarder syntax.
11942 - delete of mesh does a postorder traverse of the tree.
11943 - found and fixed a memory leak. For TTL=0 messages, that would
11944 not be cached, instead the msg-replyinfo structure was leaked.
11945 - changed server selection so it will filter out hosts that are
11948 The rto value will time out after host-ttl seconds from the cache.
11950 - utility for keeping histogram.
11953 - mesh is called by worker, and iterator uses it.
11956 - forwarder mode no longer sets AA bit on first reply.
11957 - rcode in walk_supers is not needed.
11960 - more mesh work.
11961 - error encode routine for ease.
11964 - removed unused _node iterator value from rbtree_t. Takes up space.
11965 - iterator can handle querytargets state without a delegation point
11967 - iterator stores if it is priming or not.
11968 - log_query_info() neater logging.
11969 - changed iterator so that it does not alter module_qstate.qinfo
11972 - fixup crash in case no ports for the family exist.
11975 - Fixup secondary buffer in case of error callback.
11976 - cleanup slumber list of runnable states.
11977 - module_subreq_depth fails to work in slumber list.
11978 - fixup query release for cached results to sub targets.
11979 - neater error for tcp connection failure, shows addr in verbose.
11980 - rbtree_init so that it can be used with preallocated memory.
11983 - new -C option to enable coredumps after forking away.
11984 - doc update.
11985 - fixup CNAME generation by scrubber, and memory allocation of it.
11986 - fixup deletion of serviced queries when all callbacks delete too.
11987 - set num target queries to 0 when you move them to slumber list.
11988 - typo in check caused subquery errors to be ignored, fixed.
11989 - make lint happy about rlim_t.
11990 - freeup of modules after freeup of module-states.
11991 - duplicate replies work, this uses secondary udp buffer in outnet.
11994 - nicer layout in stats.c, review 0.3 change.
11995 - spelling improvement, review 0.3 change.
11996 - uncapped timeout for server selection, so that very fast or slow
11998 - target-fetch-policy: "3 2 1 0 0" config setting.
11999 - fixup queries answered without RD bit (for root prime results).
12000 - refuse AXFR and IXFR requests.
12001 - fixup RD flag in error reply from iterator. fixup RA flag from
12003 - fixup encoding of very short edns buffer sizes, now sets TC bit.
12004 - config options harden-short-bufsize and harden-large-queries.
12007 - same, move subqueries to slumber list when first has resolved.
12008 - fixup last fix for duplicate callbacks.
12009 - another offbyone in targetcounter. Also in Java prototype by the way.
12012 - if a query asks to be notified of the same serviced query result
12014 multiple outbound-list entries result (but the double cleanup of it
12016 - when iterator moves on due to CNAME or referral, it will remove
12019 - state module wait subq is OK with no new subqs, an old one may have
12021 - if a query loops, halt entire query (easy way to clean up properly).
12024 - num query targets was > 0 , not >= 0 compared, so that fetch
12028 - debug option: configure --enable-static-exe for compile where
12030 - make install and make uninstall. Works with static-exe and without.
12032 - alignment problem fix on solaris 64.
12033 - fixup address in case of TCP error.
12036 - num target queries was set to 0 at a bad time. Default it to 0 and
12038 - synthesize CNAME and DNAME responses from the cache.
12039 - Updated doxygen config for doxygen 1.5.
12040 - aclocal newer version.
12041 - doxygen 1.5 fixes for comments (for the strict check on docs).
12044 - replies on TCP queries have the address field set in replyinfo,
12047 - omit DNSSEC types from nonDO replies, except if qtype is ANY or
12050 - fixed message parsing where rrsigs on their own would be put
12054 - fixup error in double linked list insertion for subqueries and
12056 - nicer printout of outgoing port selection.
12057 - fixup cname target readout.
12058 - nicer debug output.
12059 - fixup rrset counts when prepending CNAMEs to the answer.
12060 - fixup rrset TTL for prepended CNAMEs.
12061 - process better check for looping modules, and which submodule to
12063 - subreq insertion code fixup for slumber list.
12064 - VERB_DETAIL, verbosity: 2 level gives short but readable output.
12066 - fixup RA bit in cached replies.
12067 - fixup CNAME responses from the cache no longer partial response.
12068 - error in network send handled without leakage.
12069 - enable ip6 from config, and try ip6 addresses if available,
12073 - iterator state finished.
12074 - subrequests without parent store in cache and stop.
12075 - worker slumber list for ongoing promiscuous queries.
12076 - subrequest error handling.
12077 - priming failure returns SERVFAIL.
12078 - priming gives LAME result, returns SERVFAIL.
12079 - debug routine to print dns_msg as handled by iterator.
12080 - memleak in config file stubs fixup.
12081 - more small bugs, in scrubber, query compare no ID for lookup,
12083 - sets entry.key for new special allocs.
12084 - lognametypeclass can display unknown types and classes.
12087 - random selection of equally preferred nameserver targets.
12088 - reply info copy routine. Reuses existing code.
12089 - cache lameness in response handling.
12090 - do not touch qstate after worker_process_query because it may have
12092 - Prime response state.
12093 - Process target response state.
12094 - some memcmp changed to dname_compare for case preservation.
12097 - normalize incoming messages. Like unbound-java, with CNAME chain
12099 - sanitize incoming messages.
12100 - split msgreply encode functions into own file msgencode.c.
12101 - msg_parse to queryinfo/replyinfo conversion more versatile.
12102 - process_response, classify response, delegpt_from_message.
12105 - querytargets state.
12106 - dname_subdomain_c() routine.
12107 - server selection, based on RTT. ip6 is filtered out if not available,
12109 - delegation point copy routine.
12112 - removed FLAG_CD from message and rrset caches. This was useful for
12115 - iterator response typing.
12116 - iterator cname handle.
12117 - iterator prime start.
12118 - subquery work.
12119 - processInitRequest and processInitRequest2.
12120 - cache synthesizes referral messages, with DS and NSEC.
12121 - processInitRequest3.
12122 - if a request creates multiple subrequests these are all activated.
12125 - routines to lock and unlock array of rrsets moved to cache/rrset.
12126 - lookup message from msg cache (and copy to region).
12127 - fixed cast error in dns msg lookup.
12128 - message with duplicate rrset does not increase its TTLs twice.
12129 - 'qnamesize' changed to 'qname_len' for similar naming scheme.
12132 - Acknowledge use of unbound-java code in iterator. Nicer readme.
12133 - services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
12135 - packed rrset key has type and class as easily accessible struct
12137 - dns cache find_delegation routine.
12138 - iterator main functions setup.
12139 - dns cache lookup setup.
12142 - small changes to prepare for subqueries.
12143 - iterator forwarder feature separated out.
12144 - iterator hints stub code, config file stub code, so that first
12146 - replay tests now have config option to enable forwarding mode.
12149 - outside network does precise timers for roundtrip estimates for rtt
12151 - cleaner iterator sockaddr conversion of forwarder address.
12152 - iterator/iter_utils and iter_delegpt setup.
12153 - root hints.
12156 - outbound query list for modules and support to callback with the
12158 - testbound support for new serviced queries.
12159 - test for retry to TCP cannot use testbound any longer.
12160 - testns test for EDNS fallback, test for TCP fallback already exists.
12161 - fixes for no-locking compile.
12162 - mini_event timer precision and fix for change in timeouts during
12166 - small comment on hash table locking.
12167 - outside network serviced queries, contain edns and tcp fallback,
12171 - lruhash_touch() would cause locking order problems. Fixup in
12172 lock-verify in case locking cycle is found.
12173 - services/cache/rrset.c for rrset cache code.
12174 - special rrset_cache LRU updating function that uses the rrset id.
12175 - no dependencies calculation when make clean is called.
12176 - config settings for infra cache.
12177 - daemon code slightly cleaner, only creates caches once.
12180 - host cache code.
12181 - unit test for host cache.
12184 - Port to OS/X and Dec Alpha. Printf format and alignment fixes.
12185 - extensive lock debug report on join timeout.
12186 - proper RTT calculation, in utility code.
12187 - setup of services/cache/infra, host cache.
12190 - iterator/iterator.c module.
12191 - fixup to pass reply_info in testcode and in netevent.
12194 - created release-0.3 svn tag.
12195 - util/module.h
12196 - fixed compression - no longer compresses root name.
12199 - outside network cleans up waiting tcp queries on exit.
12200 - fallback to TCP.
12201 - testbound replay with retry in TCP mode.
12202 - tpkg test for retry in TCP mode, against ldns-testns server.
12203 - daemon checks max number of open files and complains if not enough.
12204 - test where data expires in the cache.
12205 - compiletests: fixed empty body ifstatements in alloc.c, in case
12209 - outgoing network keeps list of available tcp buffers for outgoing
12211 - outgoing-num-tcp config option.
12212 - outgoing network keeps waiting list of queries waiting for buffer.
12213 - netevent supports outgoing tcp commpoints, nonblocking connects.
12216 - EDNS read from query, used to make reply smaller.
12217 - advertised edns value constants.
12218 - EDNS BADVERS response, if asked for too high edns version.
12219 - EDNS extended error responses once the EDNS record from the query
12223 - msgreply sizefunc is more accurate.
12224 - config settings for rrset cache size and slabs.
12225 - hashtable insert takes argument so that a thread can use its own
12227 - alloc cache special_release() locks if necessary.
12228 - rrset trustworthiness type added.
12229 - thread keeps a scratchpad region for handling messages.
12230 - writev used in netevent to write tcp length and data after another.
12232 - test for one rrset updated in the cache.
12233 - test for one rrset which is not updated, as it is not deemed
12235 - test for TTL refreshed in rrset.
12238 - fill refs. Use new parse and encode to answer queries.
12239 - stores rrsets in cache.
12240 - uses new msgreply format in cache.
12243 - dname unit tests in own file and spread out neatly in functions.
12244 - more dname unit tests.
12245 - message encoding creates truncated TC flagged messages if they do
12249 - decompress query section, extremely lenient acceptance.
12251 - compression and decompression test cases.
12252 - some stats added.
12253 - example.conf interface: line is changed from 127.0.0.1 which leads
12258 - removed iov usage, it is not good for dns message encoding.
12259 - owner name compression more optimal.
12260 - rrsig owner name compression.
12261 - rdata domain name compression.
12264 - floating point exception fix in lock-verify.
12265 - lint uses make dependency
12266 - fixup lint in dname owner domain name compression code.
12267 - define for offset range that can be compressed to.
12270 - prettier code; parse_rrset->type kept in host byte order.
12271 - datatype used for hashvalue of converted rrsig structure.
12272 - unit test compares edns section data too.
12275 - ttl per RR, for RRSIG rrsets and others.
12276 - dname_print debug function.
12277 - if type is not known, size calc will skip DNAME decompression.
12278 - RRSIG parsing and storing and putting in messages.
12279 - dnssec enabled unit tests (from nlnetlabs.nl and se queries).
12280 - EDNS extraction routine.
12283 - code comes through all of the unit tests now.
12284 - disabled warning about spurious extra data.
12285 - documented the RRSIG parse plan in msgparse.h.
12286 - rrsig reading and outputting.
12289 - fix unit test to actually to tests.
12290 - fix write iov helper, and fakevent code.
12291 - extra builtin testcase (small packet).
12292 - ttl converted to network format in packets.
12293 - flags converted correctly
12294 - rdatalen off by 2 error fixup.
12295 - uses less iov space for header.
12298 - review of msgparse code.
12299 - smaller test cases.
12302 - copy and decompress dnames.
12303 - store calculated hash value too.
12304 - routine to create message out of stored information.
12305 - util/data/msgparse.c for message parsing code.
12306 - unit test, and first fixes because of test.
12310 - test from file and fixes
12316 - following a small change in LDNS, parsing code calculates the
12318 - code to handle ID creation.
12321 - parse routines. Code that parses rrsets, rrs.
12324 - dname compare routine that preserves case, with unit tests.
12327 - parse work - dname packet parse, msgparse, querysection parse,
12331 - Improved alignment of reply_info packet, nice for 32 and 64 bit.
12332 - Put RRset counts in reply_info, because the number of RRs can change
12334 - import of region-allocator code from nsd.
12335 - set alloc special type to ub_packed_rrset_key.
12337 - doxygen documentation for region-allocator.
12338 - setup for parse scratch data.
12341 - discussed packed rrset with Jelte.
12344 - moved to version 0.3.
12345 - added util/data/dname.c
12346 - layout of memory for rrsets.
12349 - detect sign of msghdr.msg_iovlen so that the cast to that type
12353 - constants for DNS flags.
12354 - compilation without locks fixup.
12355 - removed include of unportable header from lookup3.c.
12356 - more portable use of struct msghdr.
12357 - casts for printf warning portability.
12358 - tweaks to tests to port them to the testbed.
12359 - 0.2 tag created.
12362 - check sizes of udp received messages, not too short.
12363 - review changes. Some memmoves can be memcpys: 4byte aligned.
12365 - review changes msgreply.c, memleak on error condition. AA flag
12371 - writev or sendmsg used when answering from cache.
12373 - do not do useless byteswap on query id. Store reply flags in uint16
12375 - reviewed code.
12376 - configure detects and config.h includes sys/uio.h for writev decl.
12379 - new config option: num-queries-per-thread.
12380 - added tpkg test for answering three queries at the same time
12384 - added test for cache and not cached answers, in testbound replays.
12385 - testbound can give config file and commandline options from the
12387 - created test that checks if items drop out of the cache.
12388 - added word 'partitioned hash table' to documentation on slab hash.
12390 - worker can handle multiple queries at a time.
12393 - config settings for slab hash message cache.
12394 - test for cached answer.
12395 - Fixup deleting fake answer from testbound list.
12398 - review of yesterday's commits.
12399 - covered up memory leak of the entry locks.
12400 - answers from the cache correctly. Copies flags correctly.
12401 - sanity check for incoming query replies.
12402 - slabbed hash table. Much nicer contention, need dual cpu to see.
12405 - AIX configure check.
12406 - lock-verify can handle references to locks that are created
12408 - threaded hash table test.
12409 - unit test runs lock-verify afterwards and checks result.
12410 - need writelock to update data on hash_insert.
12411 - message cache code, msgreply code.
12414 - unit test of hash table, fixup locking problem in table_grow().
12415 - fixup accounting of sizes for removing items from hashtable.
12416 - unit test for hash table, single threaded test of integrity.
12417 - lock-verify reports errors nicely. More quiet in operation.
12420 - lock-verifier, checks consistent order of locking.
12423 - hash table insert (and subroutines) and lookup implemented.
12424 - hash table remove.
12425 - unit tests for hash internal bin, lru functions.
12428 - lock_unprotect in checklocks.
12429 - util/storage/lruhash.h for LRU hash table structure.
12432 - configure.ac moved to 0.2.
12433 - query_info and replymsg util/data structure.
12436 - added rwlock writelock checking.
12439 - log_hex function to dump hex strings to the logfile.
12440 - checklocks zeroes its destroyed lock after checking memory areas.
12441 - unit test for alloc.
12442 - identifier for union in checklocks to please older compilers.
12443 - created 0.1 tag.
12446 - Reviewed checklock code.
12449 - created a wrapper around thread calls that performs some basic
12454 - Testbed works with threading (different machines, different options).
12455 - alloc work, does the special type.
12458 - do not compile fork funcs unless needed. Otherwise will give
12460 - log shows thread numbers much more nicely (and portably).
12461 - even on systems with nonthreadsafe libevent signal handling,
12464 - start of alloc framework layout.
12467 - Signals, libevent and threads work well, with libevent patch and
12469 - set ipc pipes nonblocking.
12472 - ub_thread_join portable definition.
12473 - forking is used if no threading is available.
12476 - During reloads the daemon will temporarily handle signals,
12478 - Also randomize the outgoing port range for tests.
12479 - If query list is full, will stop selecting listening ports for read.
12482 - test that uses ldns-testns -f to test threading. Have to answer
12484 - with verbose=0 operates quietly.
12487 - ub_random code used to select ID and port.
12488 - log code prints thread id.
12489 - unbound can thread itself, with reload(HUP) and quit working
12491 - don't open pipes for #0, doesn't need it.
12492 - listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
12495 - Can do reloads on sigHUP. Everything is stopped, and freed,
12498 - Ports for queries are shared.
12499 - config file added interface:, chroot: and username:.
12500 - config file: directory, logfile, pidfile. And they work too.
12501 - will daemonize by default now. Use -d to stay in the foreground.
12502 - got BSD random[256 state] code, made it threadsafe. util/random.
12505 - Have a config file. Removed commandline options, moved to config.
12506 - tests use config file.
12509 - put -c option in man page.
12510 - minievent fd array capped by FD_SETSIZE.
12513 - Added locks code and pthread spinlock detection.
12514 - can use no locks, or solaris native thread library.
12515 - added yacc and lex configure, and config file parsing code.
12517 - put include errno.h in config.h
12520 - Created 0.0 svn tag.
12521 - added acx_pthread.m4 autoconf check for pthreads from
12522 the autoconf archive. It is GPL-with-autoconf-exception Licensed.
12523 You can specify --with-pthreads, or --without-pthreads to configure.
12526 - Updated testbed script, works better by using make on remote end.
12527 - removed check decls, we can compile without them.
12528 - makefile supports LIBOBJ replacements.
12529 - docs checks ignore compat code.
12530 - added util/mini-event.c and .h, a select based alternative used with
12531 ./configure --with-libevent=no
12533 - will not create ip6 sockets if ip6 not on the machine.
12536 - port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
12538 - malloc rndstate, so that it is aligned for access.
12539 - fixed rbtree cleanup with postorder traverse.
12540 - fixed pending messages are deleted when handled.
12541 - You can control verbosity; default is not verbose, every -v
12545 - Included configure.ac changes from ldns.
12546 - detect (some) headers before the standards check.
12547 - do not use isblank to test c99, since its not available on solaris9.
12548 - review of testcode.
12551 - port to OSX: cast to int for some prints of sizet.
12552 - Makefile copies ldnstestpkts.c before doing dependencies on it.
12555 - work on fake events, first fwd replay works.
12556 - events can do timeouts and errors on queries to servers.
12557 - test package that runs replay scenarios.
12560 - work on fake events.
12563 - replay file reading.
12564 - fake event setup, it creates fake structures, and teardowns,
12569 - added tcp test.
12570 - replay storage.
12571 - testcode/fake_event work.
12574 - return answer with the same ID as query was sent with.
12575 - created udp forwarder test. I've done some effort to make it perform
12578 - set addrlen value when calling recvfrom.
12579 - comparison of addrs more portable.
12580 - LIBEVENT option for testbed to set libevent directory.
12581 - work on tcp input.
12584 - reviewed code and improved in places.
12587 - Picked up stdc99 and other define tests from ldns. Improved
12589 - defined constants for netevent callback error code.
12590 - unit test for strisip6.
12593 - Created udp4 and udp6 port arrays to provide service for both
12595 - uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
12596 - listens on both ip4 and ip6 ports to provide correct return address.
12597 - worker fwder address filled correctly.
12598 - fixup timer code.
12599 - forwards udp queries and sends answer.
12602 - outside network more UDP work.
12603 - moved * closer to type.
12604 - comm_timer object and events.
12607 - Added makedist.sh script to make release tarball.
12608 - Removed listen callback layer, did not add anything.
12609 - Added UDP recv to netevent, worker callback for udp.
12610 - netevent communication reply storage structure.
12611 - minimal query header sanity checking for worker.
12612 - copied over rbtree implementation from NSD (BSD licensed too).
12613 - outgoing network query service work.
12616 - links in example/ldns-testpkts.c and .h for premade packet support.
12617 - added callback argument to listen_dnsport and daemon/worker.
12620 - unbound.8 a short manpage.
12623 - fixed memleak.
12624 - make lint works on BSD and Linux (openssl defines).
12625 - make tags works.
12626 - testbound program start.
12629 - fixed lint so it may work on BSD.
12630 - put license into header of every file.
12631 - created verbosity flag.
12632 - fixed libevent configure flag.
12633 - detects event_base_free() in new libevent 1.2 version.
12634 - getopt in daemon. fatal_exit() and verbose() logging funcs.
12635 - created log_assert, that throws assertions to the logfile.
12636 - listen_dnsport service. Binds ports.
12639 - cleaned up configure.ac.
12642 - added libevent to configure to link with.
12643 - util/netevent setup work.
12644 - configure searches for libevent.
12645 - search for libs at end of configure (when other headers and types
12647 - doxygen works with ATTR_UNUSED().
12648 - util/netevent implementation.
12651 - Designed header file for network communication.
12654 - added readme.svn and readme.tests.
12657 - Testbed script (run on multiple platforms the test set).
12659 - added unit test tpkg.
12662 - committed first set of files into subversion repository.
12665 - Added LICENSE, the BSD license.
12666 - Added doc/README with compile help.
12667 - main program stub and quiet makefile.
12668 - minimal logging service (to stderr).
12669 - added postcommit hook that serves emails.
12670 - added first test 00-lint. postcommit also checks if build succeeds.
12671 - 01-doc: doxygen doc target added for html docs. And stringent test
12675 - Created Makefile.in and configure.ac.