Lines Matching +full:conf +full:- +full:rst
2 - Fix for dnsoverquic and dnstap to use the correct dnstap
6 - Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
9 - Fix to display warning if quic-port is set but dnsoverquic is not
11 - Fix dnsoverquic to extend the number of streams when one is closed.
14 - Fix to disable detection of quic configured ports when quic is
16 - Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
17 - Fix contrib/aaaa-filter-iterator.patch for change in call
21 - Fix cookie_file test sporadic fails for time change during
23 - Fix add reallocarray to alloc stats unit test, and disable
24 override of strdup in unbound-host, and the result of config
28 - Merge #871: DNS over QUIC. This adds `quic-port: 853` and
29 `quic-size: 8m` that enable dnsoverquic, and the counters
32 with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
33 pass that with `--with-ssl=path` to compile unbound as well.
34 - Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
36 - Fix for dnstap compile of doqclient with doq disabled.
39 - Fix #1149: unbound-control-setup hangs sometimes depending on
41 - Fix #1128: Cannot override tcp-upstream and tls-upstream with
42 forward-tcp-upstream and forward-tls-upstream.
45 - Fix CVE-2024-8508, unbounded name compression could lead to denial
47 - This fix was part of 1.21.1, a security point release on 1.21.0.
52 - Fix negative cache NSEC3 parameter compares for zero length NSEC3
54 - Fix unbound dnstap socket test program analyzer warnings about
58 - Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
59 This adds the option `log-time-iso: yes` that logs in ISO8601
63 - Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
64 - More clear text for prefetch and minimal-responses in the
65 unbound.conf man page.
66 - Merge #1143: Fix cache update when serve expired is used. Expired
68 serve-expired is used.
71 - Fix dns64 with prefetch that the prefetch is stored in cache.
74 - Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
79 - Add redis-command-timeout: 20 and redis-connect-timeout: 200,
82 specified, the redis-timeout value is used.
85 - Merge #1140: Fix spelling mistake in comments.
88 - Fix and add comments in testdata/val_negcache_ttl.rpl.
91 - Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
93 - Add unit test for ttl limit for aggressive nsec.
96 - Fix alloc-size and calloc-transposed-args compiler warnings.
97 - Fix comment to not trigger doxygen unknown command.
100 - Fix config file read for dnstap-sample-rate.
103 - Merge #1135: Add new IANA trust anchor.
106 - Merge #1132: b.root renumbering.
107 - Fix for #1132, adjusted unit test for change in the test file.
108 - Fix for #1132, comment about adjusted copy of reference check.
111 - Unit test for auth zone transfer TLS, and TLS failure.
112 - Fix to print port number in logs for auth zone transfer activities.
115 - Fix that when rpz is applied the message does not get picked up by
117 - Fix that stub-zone and forward-zone clauses do not exhaust memory
121 - Fix #1130: Loads of logs: "validation failure: key for validation
123 non-DNSSEC signed zone.
126 - Merge patch to fix for glue that is outside of zone, with
127 `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
132 - Fix #1127: error: "memory exhausted" when defining more than 9994
133 local-zones.
134 - Fix documentation for cache_fill_missing function.
137 - Add cross platform freebsd, openbsd and netbsd to github ci.
138 - Fix for char signedness warnings on NetBSD.
141 - Add iter-scrub-ns, iter-scrub-cname and max-global-quota
145 - Fix #1126: unbound-control-setup hangs while testing for openssl
149 - Fix spelling for the cache-min-negative-ttl entry in the
150 example.conf.
151 - Tag for release 1.21.0, the repository continues with 1.21.1
155 - Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco
157 - Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,
158 Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
160 - Set version number to 1.21.0 for release. This has tag 1.21.0rc1.
161 - Fix that for windows the module startup is called and sets up
162 the module-config.
165 - Fix that alloc stats has strdup checks, it stops debuggers from
167 - Fix testbound for alloc stats strdup in util/alloc.c.
168 - Merge #1090: Cookie secret file. Adds
169 `cookie-secret-file: "unbound_cookiesecrets.txt"` option to store
174 - Fix that alloc stats for forwards and hints are printed, and when
179 - Fix dnstap test program, cleans up to have clean memory on exit,
183 free. Added internal unit test to unbound-dnstap-socket for that.
184 - Fix that the worker mem report with alloc stats does not attempt
189 - Fix for #1114: Fix that cache fill for forward-host names is
190 performed, so that with nonzero target-fetch-policy it fetches
199 - Fix to document parameters of auth_zone_verify_zonemd_with_key.
202 - Add root key 38696 from 2024 for DNSSEC validation. It is added
203 to the default root keys in unbound-anchor. The content can be
204 inspected with `unbound-anchor -l`.
207 - Fix #1106: ratelimit-below-domain logs the wrong FROM address.
208 - Cleanup ede.tdir test.
209 - For #935 and #1104, clarify RPZ order and semantics.
212 - Merge #1110: Make fallthrough explicit for libworker.c.
213 - For #1110: Test for fallthrough attribute in configure and add
215 - Fix compile when the compiler does not support the noreturn
217 - Fix to have empty definition when not supported for weak attribute.
218 - Fix uninitialized variable warning in create_tcp_accept_sock.
219 - Fix link of dnstap without openssl.
220 - Fix link of unbound-dnstap-socket without openssl.
223 - Add dnstap-sample-rate that logs only 1/N messages, for high volume
225 - Fix dnstap wakeup, a running wakeup timer is left to expire and not
232 - For #1103: Fix to drop mesh state reference for the http2 stream
238 - For #1103: fix to also drop mesh state reference when the discard
243 - Add RPZ tag tests in acl_interface.tdir.
244 - For #1102: clearer text for using interface-* options for the
248 - Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
249 - For #1103: fix to also drop mesh state reference when a h2 reply is
253 - For #773: In contrib/unbound.service.in set unbound to start after
254 network-online.target. Also for contrib/unbound_portable.service.in.
257 - Update list of known EDE codes.
260 - Fix that validation reason failure that uses string print uses
262 - Fixup algo_needs_reason string buffer length.
263 - Fix shadowed error string variable in validator dnskey handling.
266 - Don't check for message TTL changes if the RRsets remain the same.
269 - Fix for neater printout for error for missing DS response.
270 - Fix neater printout.
271 - Fix #1099: Unbound core dump on SIGSEGV.
272 - Fix for #1099: Fix to check for deleted RRset when the contents
277 - Fix to print details about the failure to lookup a DNSKEY record
282 - Fix for repeated use of a DNAME record: first overallocate and then
287 - Fix #144: Port ipset to BSD pf tables.
288 - Add unit test skip files and bison and flex output to gitignore.
289 - Fix to use modstack_init in zonemd unit test.
290 - Fix to remove unneeded linebreak in fptr_wlist.c.
291 - Fix compile warnings in fptr_wlist.c.
294 - Fix to remove unused include from the readzone test program.
295 - Fix unused variable warning in do_cache_remove.
296 - Fix compile warning in worker pthread id printout.
299 - Fix ip-ratelimit-cookie setting, it was not applied.
302 - Explicitly set the RD bit for the mesh query flags when prefetching.
307 - Fix pkg-config availability check in dnstap/dnstap.m4 and
311 - Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by
313 the default pkg-config unavailability error message to be shown.
316 - Fix #1091: Build fails with OpenSSL >= 3.0 built with
320 - Add unit test for validation of repeated use of a DNAME record.
323 - Fix memory leak in setup of dsa sig.
324 - Fix typos for 'the the' in text.
325 - Fix validation for repeated use of a DNAME record.
328 - Merge #1080: AddressSanitizer detection in tdir tests and memory leak
330 - Fix memory leak when reload_keep_cache is used and num-threads
332 - Fix memory leak on exit for unbound-dnstap-socket; creates false
336 - Fix to squelch connection reset by peer errors from log. And fix
340 - Fix #1079: tags from tagged rpz zones are no longer honored after
342 - Fix for #1079: fix RPZ taglist in iterator callback that no client
346 - Merge #1078: Only check old pid if no username.
349 - Fix to enable that SERVFAIL is cached, for a short period, for more
351 - Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
354 - Fix unused variable warning on compilation with no thread support.
355 - unbound-control-setup: check openssl availability before doing
357 - Update patch to remove 'command' shell builtin and update error
361 - Fix #1064: Unbound 1.20 Cachedb broken?
364 - Fix #1059: Intermittent DNS blocking failure with local-zone and
366 unbound-control was not finding the zone's parent correctly.
369 - Merge #1073: fix null pointer dereference issue in function
371 - Fix to print a parse error when config is read with no name for
372 a forward-zone, stub-zone or view.
373 - Fix for parse end of forward-zone, stub-zone and view.
374 - Fix for #1064: Fix that cachedb expired messages are considered
378 - Merge #1069: Fix unbound-control stdin commands for multi-process
380 - Fix unbound-control commands that read stdin in multi-process
384 are no longer supported in multi-process operation.
385 - Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir
389 - Merge #1070: Fix rtt assignement for low values of
390 infra-cache-max-rtt.
393 - Fix #1071: [FR] Clear both in-memory and cachedb module cache with
394 `unbound-control flush*` commands.
397 - Add missing common functions to tdir tests.
400 - Fix when the mesh jostle is exceeded that nameserver targets are
405 - Fix to squelch udp connect errors in the log at low verbosity about
409 - Merge #1062: Fix potential overflow bug while parsing port in
411 - Fix for #1062: declaration before statement, avoid print of null,
415 - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
418 - Set version number to 1.20.0 for release. This became the release
422 - Cleanup unnecessary strdup calls for EDE strings.
425 - Fix doxygen comment for errinf_to_str_bogus.
428 - Fix cachedb with serve-expired-client-timeout disabled. The edns
430 stores a result, and serve-expired is enabled, so that the global
433 - Add unit tests for cachedb and subnet cache expired data.
434 - Man page entry for unbound-checkconf -q.
437 - Fix #876: [FR] can unbound-checkconf be silenced when configuration
441 - Fix configure flto check error, by finding grep for it.
442 - Merge #1041: Stub and Forward unshare. This has one structure
445 - Fix to disable fragmentation on systems with IP_DONTFRAG,
447 - Fix doc unit test for out of directory build.
450 - Fix ci workflow for macos for moved install locations.
453 - Merge #1053: Remove child delegations from cache when grandchild
457 - Add checklock feature verbose_locking to trace locks and unlocks.
458 - Fix edns subnet to sort rrset references when storing messages
462 - Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
463 - Fix configure, autoconf for #1048.
466 - Merge #1049 from Petr Menšík: Py_NoSiteFlag is not needed since
470 - Fix cachedb for serve-expired with serve-expired-client-timeout.
471 - Fixup unit test for cachedb server expired client timeout with
473 - Fixup cachedb to not refetch when serve-expired-client-timeout is
477 - Implement cachedb-check-when-serve-expired: yes option, default
480 - Fixup compile without cachedb.
481 - Add test for cachedb serve expired.
482 - Extended test for cachedb serve expired.
483 - Fix makefile dependencies for fake_event.c.
484 - Fix cachedb for serve-expired with serve-expired-reply-ttl.
485 - Fix to not reply serve expired unless enabled for cachedb.
488 - Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates
489 config.guess(2024-01-01) and config.sub(2024-01-01), verified
493 - Fix #595: unbound-anchor cannot deal with full disk; it will now
495 like Unbound already does for auto-trust-anchor-file.
498 - Fix comment syntax for view function views_find_view.
501 - Merge #1027: Introduce 'cache-min-negative-ttl' option.
504 - Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports
506 - For #1040: adjust error text and disallow negative ports in other
510 - Fix #1035: Potential Bug while parsing port from the "stub-host"
511 string; also affected forward-zones and remote-control host
513 - Fix #369: dnstap showing extra responses; for client responses
518 - Fix #1034: DoT forward-zone via unbound-control.
519 - Fix for crypto related failures to have a better error string.
522 - Fix name of unit test for subnet cache response.
523 - Fix #1032: The size of subnet_msg_cache calculation mistake cause
525 - Fix for #1032, add safeguard to make table space positive.
526 - Fix comment in lruhash space function.
527 - Fix to add unit test for lruhash space that exercises the routines.
528 - Fix that when the server truncates the pidfile, it does not follow
530 - Fix that the server does not chown the pidfile.
533 - Merge #831 from Pierre4012: Improve Windows NSIS installer
535 - For #831: Format text, use exclamation icon and explicit label
539 - Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that
541 - Fix localdata and rpz localdata to match CNAME only if no direct
545 - Fix that rpz CNAME content is limited to the max number of cnames.
546 - Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets
548 - Fix rpz that copies the cname override completely to the temp
550 - Add rpz unit test for nsip action override.
551 - Fix rpz for qtype CNAME after nameserver trigger.
554 - Merge #1030: Persist the openssl and expat directories for repeated
558 - Fix that addrinfo is not kept around but copied and freed, so that
559 log-destaddr uses a copy of the information, much like NSD does.
562 - Fix #1029: rpz trigger clientip and action rpz-passthru not working
564 - Fix rpz that the rpz override is taken in case of clientip triggers.
568 - Fix to unify codepath for local alias for rpz cname action override.
569 - Fix rpz for cname override action after nsdname and nsip triggers.
572 - Merge #1028: Clearer documentation for tcp-idle-timeout and
573 edns-tcp-keepalive-timeout.
576 - Fix #1021 Inconsistent Behavior with Changing rpz-cname-override
577 and doing a unbound-control reload.
580 - Fix unbound-control-setup.cmd to use 3072 bits so that certificates
583 - Fix TTL of synthesized CNAME when a DNAME is used from cache. This
585 - Remove unused portion from iter_dname_ttl unit test.
586 - Fix validator classification of qtype DNAME for positive and
590 - Fix qname minimisation for reply with a DNAME for qtype CNAME that
592 - Fix doc test so it ignores but outputs unsupported doxygen options.
593 - Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
594 like unbound-control-setup.sh has. This fix is included in 1.19.3rc2.
597 - Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
601 - Version set to 1.19.3 for release. After 1.19.2 point release with
602 security fix for CVE-2024-1931, Denial of service when trimming
608 - Fix for #1022: Fix ede prohibited in access control refused answers.
611 - Fix edns subnet replies for scope zero answers to not get stored
616 - Move github workflows to use checkoutv4.
619 - Document the suspend argument for process_ds_response().
622 - Fix trim of EDE text from large udp responses from spinning cpu.
625 - Merge #1010: Mention REFUSED has the TC bit set with unmatched
631 - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited
633 - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
634 - These fixes are part of the 1.19.1 release, that is a security
639 - Fix documentation for access-control in the unbound.conf man page.
642 - Fix #1006: Can't find protobuf-c package since #999.
645 - Merge #999: Search for protobuf-c with pkg-config.
648 - Update message TTL when using cached RRSETs. It could result in
649 non-expired messages with expired RRSETs (non-usable messages by
653 - Update error printout for duplicate trust anchors to include the
657 - Fix for #997: Print details for SSL certificate failure.
660 - Update workflow for ports to use newer openssl on windows compile.
661 - Fix warning for windres on resource files due to redefinition.
664 - Fix to link with libssp for libcrypto and getaddrinfo check for
666 - Merge #993: Update b.root-servers.net also in example config file.
669 - Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
672 - Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
675 - Merge #987: skip edns frag retry if advertised udp payload size is
677 - Fix unit test for #987 change in udp1xxx retry packet send.
680 - Remove unneeded newlines and improve indentation in remote control
684 - Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
685 for non-HTTP/2 DoH clients.
686 - Merge #985: Add DoH and DoT to dnstap message.
687 - Fix #983: Sha1 runtime insecure change was incomplete.
690 - Update example.conf with cookie options.
693 - Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
697 - Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
701 - Fix #974: doc: default number of outgoing ports without libevent.
702 - Merge #975: Fixed some syntax errors in rpl files.
705 - Fix to sync the tests script file common.sh.
706 - iana portlist update.
707 - Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
708 - Update test script file common.sh.
709 - Fix tests to use new common.sh functions, wait_logfile and
713 - Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
714 - Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
715 - Fix dnstap that assertion failed on logging other than UDP and TCP
719 - Merge #968: Replace the obsolescent fgrep with grep -F in tests.
722 - Fix #964: config.h.in~ backup file in release tar balls.
725 - Use 127.0.0.1 explicitly in tests to avoid delays and errors on
729 - Fix unit test parse of origin syntax.
732 - Set version number to 1.19.0.
733 - Tag for 1.19.0rc1 release. It became 1.19.0 release on 8 nov 2023.
737 - Mention flex and bison in README.md when building from repository
741 - Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
742 - Fix SSL compile failure for other missing definitions in
744 - Fix compilation without openssl, remove unused function warning.
747 - Fix #941: dnscrypt doesn't work after upgrade to 1.18 with
751 - Merge #930 from Stuart Henderson: add void to
755 - autoconf.
758 - Clearer configure text for missing protobuf-c development libraries.
761 - Merge #951: Cachedb no store. The cachedb-no-store: yes option is
767 - Fix to print detailed errors when an SSL IO routine fails via
771 - Mailing list patches from Daniel Gröber for DNS64 fallback to plain
774 - Fixes for the DNS64 patches.
775 - Update the dns64_lookup.rpl test for the DNS64 fallback patch.
776 - Merge #955 from buevsan: fix ipset wrong behavior.
777 - Update testdata/ipset.tdir test for ipset fix.
780 - Fix #954: Inconsistent RPZ handling for A record returned along with
784 - Expose the script filename in the Python module environment 'mod_env'
787 - Expose the configured listening and outgoing interfaces, if any, as
790 - For multi Python module setups, clean previously parsed module
795 - Better fix for infinite loop when reading multiple lines of input on
800 - Merge #944: Disable EDNS DO.
806 is disable-edns-do: no
809 - Fix #850: [FR] Ability to use specific database in Redis, with new
810 redis-logical-db configuration option.
813 - Fix #949: "could not create control compt".
814 - Fix that cachedb does not warn when serve-expired is disabled about
815 use of serve-expired-reply-ttl and serve-expired-client-timeout.
816 - Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
819 - Fix infinite loop when reading multiple lines of input on a broken
823 - Fix edns subnet so that queries with a source prefix of zero cause
825 - Fix that printout of EDNS options shows the EDNS cookie option by
829 - Fix #946: Forwarder returns servfail on upstream response noerror no
833 - Merge #881: Generalise the proxy protocol code.
836 - Fix misplaced comment.
839 - Fix #942: 1.18.0 libunbound DNS regression when built without
843 - Fix rpz tcp-only action with rpz triggers nsdname and nsip.
846 - Merge #936: Check for c99 with autoconf versions prior to 2.70.
847 - Fix to remove two c99 notations.
850 - Fix authority zone answers for obscured DNAMEs and delegations.
853 - Fix send of udp retries when ENOBUFS is returned. It stops looping
858 - Fix to scrub resource records of type A and AAAA that have an
860 - Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
861 - Fix to add EDE text when RRs have been removed due to length.
862 - Fix to set ede match in unit test for rr length removal.
863 - Fix to print EDE text in readable form in output logs.
866 - Merge #931: Prevent warnings from -Wmissing-prototypes.
869 - Fix autoconf 2.69 warnings in configure.
870 - Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
873 - Fix for WKS call to getservbyname that creates allocation on exit
878 - Fix for version generation race condition that ignored changes.
881 - Fix compile error on NetBSD in util/netevent.h.
884 - Tag for 1.18.0rc1 release. This became the 1.18.0 release on
889 - Set version number to 1.18.0.
892 - Debug Windows ci workflow.
893 - Fix windows ci workflow to install bison and flex.
894 - Fix for #925: unbound.service: Main process exited, code=killed,
896 - Fix #923: processQueryResponse() THROWAWAY should be mindful of
898 - Fix unit test for unbound-control to work when threads are disabled,
902 - Fix for iter_dec_attempts that could cause a hang, part of
904 - Fix uninitialized memory passed in padding bytes of cmsg to sendmsg.
905 - Fix stat_values test to work with dig that enables DNS cookies.
908 - Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and
911 `answer-cookie: yes`. A `cookie-secret:` can be configured for
916 `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:`
918 - Fix regional_alloc_init for potential unaligned source of the copy.
919 - Fix ip_ratelimit test to work with dig that enables DNS cookies.
922 - Move a cache reply callback in worker.c closer to the cache reply
926 - Merge #911 from natalie-reece: Exclude EDE before other EDNS options
928 - For #911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options
930 - More braces and formatting for Fix for EDNS EDE size calculation to
932 - Fix to use the now cached EDE, if any, for CD_bit queries.
935 - Fix for EDNS EDE size calculation.
938 - Merge #790 from Tom Carpay: Add support for EDE caching in cachedb
942 - iana portlist update.
945 - Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.
948 - Fix unused variable compile warning for kernel timestamps in
952 - Merge #857 from eaglegai: fix potential memory leaks when errors
954 - For #857: fix mixed declarations and code.
955 - Merge #118 from mibere: Changed verbosity level for Redis init &
957 - Merge #390 from Frank Riley: Add missing callbacks to the python
959 - Cleaner failure code for callback functions in interface.i.
960 - Merge #889 from borisVanhoof: Free memory in error case + remove
962 - For #889: use netcat-openbsd instead of netcat-traditional.
963 - For #889: Account for num_detached_states before possible
967 - Merge #909 from headshog: Numeric truncation when parsing TYPEXX and
969 - For #909: Fix return values.
970 - Merge #901 from Sergei Trofimovich: config: improve handling of
974 - For #909: Fix RR class comparison.
977 - More clear description of the different auth-zone behaviors on the
981 - Merge #880 from chipitsine: services/authzone.c: remove redundant
985 - Merge #664 from tilan7763: Add prefetch support for subnet cache
987 - For #664: Easier code flow for subnetcache prefetching.
988 - For #664: Add testcase.
989 - For #664: Rename subnet_prefetch tests to subnet_global_prefetch to
993 - Merge #739: Add SVCB dohpath support.
994 - Code cleanup for sldns_str2wire_svcparam_key_lookup.
995 - Merge #802: add validation EDEs to queries where the CD bit is set.
996 - For #802: Cleanup comments and add RCODE check for CD bit test case.
997 - Skip the 00-lint test. splint is not maintained; it either does not
1002 - Fix #906: warning: ‘Py_SetProgramName’ is deprecated.
1003 - Fix dereference of NULL variable warning in mesh_do_callback.
1006 - More fixes for reference counting for python module and clean up
1008 - Merge #827 from rcmcdonald91: Eliminate unnecessary Python reloading
1012 - Fix python modules with multiple scripts, by incrementing reference
1016 - Merge #892: Add cachedb hit stat. Introduces 'num.query.cachedb' as
1018 - Remove warning about unknown cast-function-type warning pragma.
1021 - Merge #903: contrib: add yocto compatible init script.
1024 - Fix for issue #887 (Timeouts to forward servers on BSD based
1026 - Probably fixes #516 (Stream reuse does not work on Windows) as well
1029 - Properly handle all return values of worker_check_request during
1031 - Do not check the incoming request more than once.
1034 - Merge #896: Fix: #895: pythonmodule: add all site-packages
1036 - Fix #895: python + sysconfig gives ANOTHER path comparing to
1038 - Fix for uncertain unit test for doh buffer size events.
1041 - Fix unbound-dnstap-socket printout when no query is present.
1042 - Fix unbound-dnstap-socket time fraction conversion for printout.
1045 - Fix RPZ removal of client-ip, nsip, nsdname triggers from IXFR.
1046 - Fix to remove unused variables from RPZ clientip data structure.
1049 - Fix #888: [FR] Use kernel timestamps for dnstap.
1050 - Fix to print debug log for ancillary data with correct IP address.
1053 - Fix warning in windows compile, in set_recvtimestamp.
1056 - Fix #885: Error: util/configlexer.c: No such file or directory,
1058 - Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
1059 - Fix doxygen in addr_to_nat64 header definition.
1062 - Merge #722 from David 'eqvinox' Lamparter: NAT64 support.
1063 - For #722: minor fixes, formatting, refactoring.
1066 - Fix RPZ IP responses with trigger rpz-drop on cache entries, that
1070 - Fix issue #860: Bad interaction with 0 TTL records and serve-expired
1073 - Merge #882 from vvfedorenko: Features/dropqueuedpackets, with
1074 sock-queue-timeout option that drops packets that have been in the
1077 - Fix for #882: small changes, date updated in Copyright for
1080 - Fix for #882: document variable to stop doxygen warning.
1083 - Fix for #878: Invalid IP address in unbound.conf causes Segmentation
1087 - Merge #875: change obsolete txt URL in unbound-anchor.c to point
1091 - Fix build badge, from failing travis link to github ci action link.
1094 - Fix for #870: Add test case for the qname minimisation and CNAME.
1097 - Fix #870: NXDOMAIN instead of NOERROR rcode when asked for existing
1101 - Fix issue #676: Unencrypted query is sent when
1102 forward-tls-upstream: yes is used without tls-cert-bundle
1103 - Extra consistency check to make sure that when TLS is requested,
1107 - Fix issue #851: reserved identifier violation
1110 - iana portlist update.
1113 - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option
1117 - Fix ssl.h include brackets, instead of quotes.
1120 - Fix unbound-dnstap-socket test program to reply the finish frame
1124 - Fix for #852: Completion of error handling.
1127 - Fix #825: Unexpected behavior with client-subnet-always-forward
1128 and serve-expired
1131 - Clean up iterator/iterator.c::error_response_cache() and allow for
1132 better interaction with serve-expired, prefetch and cached error
1136 - Allow TTL refresh of expired error responses.
1137 - Add testcase for refreshing expired error responses.
1140 - Fix to ignore entirely empty responses, and try at another authority.
1144 - Fix unit tests for spurious empty messages.
1145 - Fix consistency of unit test without roundrobin answers for the
1147 - Fix to git ignore the library symbol file that configure can create.
1150 - Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
1153 - Add duration variable for speed_local.test.
1156 - Fix acx_nlnetlabs.m4 for -Wstrict-prototypes.
1159 - Fix #833: [FR] Ability to set the Redis password.
1162 - Fix #835: [FR] Ability to use Redis unix sockets.
1165 - Merge #819: Added new static zone type block_a to suppress all A
1169 - Set max-udp-size default to 1232. This is the same default value as
1170 the default value for edns-buffer-size. It restricts client edns
1175 - Add harden-unknown-additional option. It removes
1178 - Set default for harden-unknown-additional to no. So that it does
1180 - Fix test for new default.
1183 - Fix not following cleared RD flags potentially enables amplification
1189 - Merge #826: Аdd a metric about the maximum number of collisions in
1191 - Improve documentation for #826, describe the large collisions amount.
1194 - Fix python module install path detection.
1195 - Fix python version detection in configure.
1198 - Fix #823: Response change to NODATA for some ANY queries since
1200 - Fix wildcard in hyperlocal zone service degradation, reported
1206 - Tag for 1.17.1 release.
1209 - Fix windows compile for libunbound subprocess reap comm point closes.
1210 - Update github workflows to use checkout v3.
1213 - Merge #569 from JINMEI Tatuya: add keep-cache option to
1214 'unbound-control reload' to keep caches.
1217 - Expose 'statistics-inhibit-zero' as a configuration option; the
1219 - Expose 'max-sent-count' as a configuration option; the
1221 - Merge #461 from Christian Allred: Add max-query-restarts option.
1226 - Merge #808: Wrap Makefile script's directory variables in quotes.
1227 - Fix to wrap Makefile scripts directory in quotes for uninstall.
1230 - Fix #773: When used with systemd-networkd, unbound does not start
1231 until systemd-networkd-wait-online.service times out.
1234 - Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
1235 - Clear documentation for interactivity between the subnet module and
1236 the serve-expired and prefetch configuration options.
1239 - Fix #782: Segmentation fault in stats.c:404.
1242 - Fix for the ignore of tcp events for closed comm points, preserve
1246 - Merge #720 from jonathangray: fix use after free when
1250 - Ignore expired error responses.
1253 - Fix #779: [doc] Missing documention in ub_resolve_event() for
1257 - Complementary fix for distutils.sysconfig deprecation in Python 3.10
1261 - Fix to ignore tcp events for closed comm points.
1262 - Fix to make sure to not read again after a tcp comm point is closed.
1263 - Fix #775: libunbound: subprocess reap causes parent process reap
1265 - iana portlist update.
1268 - Merge #767 from jonathangray: consistently use IPv4/IPv6 in
1269 unbound.conf.5.
1272 - Fix that cachedb does not store failures in the external cache.
1275 - Clarify the use of MAX_SENT_COUNT in the iterator code.
1278 - testcode/dohclient sets log identity to its name.
1281 - Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
1283 - In unit test, print python script name list correctly.
1286 - Tag for 1.17.0 release. The code repository continues with 1.17.1.
1289 - Fix PROXYv2 header read for TCP connections when no proxied addresses
1293 - Tag for 1.17.0rc1 release.
1296 - Fix to stop possible loops in the tcp reuse code (write_wait list
1299 - Fix unit test to properly test the reuse_write_wait_pop function.
1302 - Fix to stop responses with TC flag from resulting in partial
1305 - Fix proxy length debug output printout typecasts.
1308 - Fix dnscrypt compile for proxy protocol code changes.
1311 - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
1312 - Fix string comparison in mini_tdir.sh.
1313 - Make ede.tdir test more predictable by using static data.
1314 - Fix checkconf test for dnscrypt and proxy port.
1317 - Merge #764: Leniency for target discovery when under load (for
1321 - Fix static analysis report to remove dead code from the
1323 - Fix to clean up after the acl_interface unit test.
1326 - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
1330 - Fix to remove erroneous TC flag from TCP upstream.
1331 - Fix test tdir skip report printout.
1332 - Fix windows compile, the identifier interface is defined in headers.
1333 - Fix to close errno block in comm_point_tcp_handle_read outside of
1337 - Better output for skipped tdir tests.
1340 - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
1341 - This patch was released in 1.16.3, the code repository continues
1343 - Fix doxygen warning in respip.h.
1346 - Convert tdir tests to use the new skip_test functionality.
1347 - Remove unused testcode/mini_tpkg.sh file.
1350 - Merge #753: ACL per interface. (New interface-* configuration
1354 - Remove include that was there for debug purposes.
1355 - Fix to check pthread_t size after pthread has been detected.
1358 - Fix to update config tests to fix checking if nonblocking sockets
1360 - Slow down log frequency of write wait failures.
1361 - Fix to set out of file descriptor warning to operational verbosity.
1362 - Fix to log a verbose message at operational notice level if a
1367 - Fix to avoid process wide fcntl calls mixed with nonblocking
1369 - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
1372 - Fix to wait for blocked write on UDP sockets, with a timeout if it
1374 - Fix for wait for udp send to stop when packet is successfully sent.
1377 - Fix #741: systemd socket activation fails on IPv6.
1380 - Fix to log accept error ENFILE and EMFILE errno, but slowly, once
1384 - Fix #734 [FR] enable unbound-checkconf to detect more (basic)
1388 - Fix ratelimit inconsistency, for ip-ratelimits the value is the
1392 - Fix edns subnet so that scope 0 answers only match sourcemask 0
1394 - Fix unittest for edns subnet change.
1395 - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
1399 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
1400 - Tests for ghost domain fixes.
1401 - Tag for 1.16.2 release. The code repo continues with 1.16.3.
1402 - Fix #728: alloc_reg_obtain() core dump. Stop double
1406 - Update documentation for 'outbound-msg-retry:'.
1409 - Merge #718: Introduce infra-cache-max-rtt option to config max
1413 - Merge PR 714: Avoid treat normal hosts as unresponsive servers.
1415 - iana portlist update.
1418 - For windows crosscompile, fix setting the IPV6_MTU socket option
1420 cross-compiler versions.
1423 - Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
1426 - Fix verbose EDE error printout.
1429 - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
1431 - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
1435 - Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022.
1439 - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS
1441 - Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
1442 - For #660: formatting, less verbose logging, add EDE information.
1443 - Fix for correct openssl error when adding windows CA certificates to
1445 - Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
1446 - Reintroduce documentation and more EDE support for
1450 - Merge PR #706: NXNS fallback.
1451 - From #706: Cached NXDOMAIN does not increase the target nx
1453 - From #706: Don't generate parent side queries if we already
1455 - From #706: When a lame address is the best choice, don't try to
1459 - iana portlist update.
1460 - Fix detection of libz on windows compile with static option.
1461 - Fix compile warning for windows compile.
1464 - Add debug option to the mini_tdir.sh test code.
1465 - Fix #704: [FR] Statistics counter for number of outgoing UDP queries
1466 sent; introduces 'num.query.udpout' to the 'unbound-control stats'
1468 - Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
1469 - Allow fallback to the parent side when MAX_TARGET_NX is reached.
1473 - Show the output of the exact .rpl run that failed with 'make test'.
1474 - Fix for cached 0 TTL records to not trigger prefetching when
1475 serve-expired-client-timeout is set.
1478 - Fix test program dohclient close to use portability routine.
1481 - Clarify -v flag manpage entry (#705)
1484 - Fix #663: use after free issue with edns options.
1487 - Fix for loading locally stored zones that have lines with blanks or
1491 - Remove unused LDNS function check for GOST Engine unloading.
1494 - Merge PR #688: Rpz url notify issue.
1495 - Note in the unbound.conf text that NOTIFY is allowed from the url:
1499 - Fix for edns client subnet to respect not looking in its cache when
1503 - makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
1506 …- Fix #684: [FTBS] configure script error with libmnl on openSUSE 15.3 (and possibly other distrib…
1507 - Version is set to 1.16.0 for release. Release tag 1.16.0rc1. This
1512 - Fix to silence test for ede error output to the console from the
1514 - Fix ede test to not use default pidfile, and use local interface.
1515 - Fix some lint type warnings.
1518 - Fix typos in config_set_option for the 'num-threads' and
1519 'ede-serve-expired' options.
1522 - Fix #678: [FR] modify behaviour of unbound-control rpz_enable zone,
1523 by updating unbound-control's documentation.
1526 - Fix #417: prefetch and ECS causing cache corruption when used
1530 - Merge #677: Allow using system certificates not only on Windows,
1532 - For #677: Added tls-system-cert to config parser and documentation.
1535 - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to
1539 - Fix Python build in non-source directory; based on patch by
1543 - Merge PR #604: Add basic support for EDE (RFC8914).
1546 - Fix #670: SERVFAIL problems with unbound 1.15.0 running on
1550 - Fix zonemd check to allow unsupported algorithms to load.
1554 - Fix zonemd unsupported algo check.
1555 - Fix zonemd unsupported algo check reason to not copy to next record,
1557 - Fix zonemd unsupported algo check to print unsupported reason before
1559 - Fix zonemd unsupported algo check to set reason to NULL before the
1564 - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup.
1567 - Fix #651: [FR] Better logging for refused queries.
1570 - Merge PR #648 from eaglegai: fix -q doesn't work when use with
1571 'unbound-control stats_shm'.
1574 - Fix to describe auth-zone and other configuration at the local-zone
1578 - Fix to ensure uniform handling of spaces and tabs when parsing RRs.
1581 - Merge #644: Make `install-lib` make target install the pkg-config
1585 - Fix configure for python to use sysutils, because distutils is
1589 - Fix #637: Integer Overflow in sldns_str2period function.
1590 - Fix for #637: fix integer overflow checks in sldns_str2period.
1593 - Merge PR #632 from scottrw93: Match cnames in ipset.
1594 - Various fixes for #632: variable initialisation, convert the qinfo
1595 to str once, accept trailing dot in the local-zone ipset option.
1598 - Fix compile warnings for printf ll format on mingw compile.
1601 - Fix pythonmod for change in iter_dp_is_useless function prototype.
1604 - Fix #630: Unify the RPZ log messages.
1605 - Merge #623 from rex4539: Fix typos.
1608 - Fix #633: Document unix domain socket support for unbound-control.
1609 - Fix for #633: updated fix with new text.
1610 - Fix edns client subnet to add the option based on the option list,
1613 - Fix for edns client subnet option add fix in removal code, from review.
1616 - Fix to detect that no IPv6 support means that IPv6 addresses are
1618 - update Makefile dependencies.
1619 - Fix check interface existence for support detection in remote lookup.
1622 - Fix that address not available is squelched from the logs for
1624 - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with
1628 - Fix for #628: fix rpz-passthru for qname trigger by localzone type.
1631 - Fix #628: A rpz-passthru action is not ending RPZ zone processing.
1634 - Fix #624: Unable to stop Unbound in Windows console (does not
1636 - Fix #618: enabling interface-automatic disables DNS-over-TLS.
1637 Adds the option to list interface-automatic-ports.
1638 - Remove debug info from #618 fix.
1641 - Fix that TCP interface does not use TLS when TLS is also configured.
1644 - Fix #412: cache invalidation issue with CNAME+A.
1647 - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan.
1648 - Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022.
1652 - Merge PR #532 from Shchelk: Fix: buffer overflow bug.
1653 - Merge PR #616: Update ratelimit logic. It also introduces
1654 ratelimit-backoff and ip-ratelimit-backoff configuration options.
1655 - Change aggressive-nsec default to yes.
1656 - Merge PR #617: Update stub/forward-host notation to accept port and
1657 tls-auth-name.
1658 - Update stream_ssl.tdir test to also use the new forward-host
1662 - Update version number in repo to 1.15.0 for upcoming release,
1663 since it changes the aggressive-nsec default and the ratelimit change.
1664 - Fix header comment for doxygen for authextstrtoaddr.
1665 - please clang analyzer for loop in test code.
1666 - Fix docker splint test to use more portable uname.
1667 - Update contrib/aaaa-filter-iterator.patch with diff for current
1671 - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA
1675 - Fix review comment for use-after-free when failing to send UDP out.
1678 - iana portlist update.
1681 - Fix tls-* and ssl-* documented alternate syntax to also be available
1682 through remote-control and unbound-checkconf.
1683 - Better cleanup on failed DoT/DoH listening socket creation.
1686 - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC
1690 - Test for NSID in SERVFAIL response due to DNSSEC bogus.
1693 - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in
1695 - Merge PR #612: TCP race condition.
1698 - Fix #610: Undefine-shift in sldns_str2wire_hip_buf.
1701 - For dnstap, do not wakeupnow right there. Instead zero the timer to
1705 - Merge PR #605:
1706 - Fix EDNS to upstream where the same option could be attached
1708 - Add a region to serviced_query for allocations.
1711 - Add rpz: for-downstream: yesno option, where the RPZ zone is
1714 - For #602: Allow the module-config "subnetcache validator cachedb
1718 - Fix prematurely terminated TCP queries when a reply has the same ID.
1721 - Merge #600 from pemensik: Change file mode before changing file
1725 - Fix for #596: fix that rpz return message is returned and not just
1728 - Fix unit tests for rpz now that the AA flag returns successfully from
1730 - Fix for #596: add unit test for nsdname trigger and signal unset RA.
1731 - Fix for #596: add unit test for nsip trigger and signal unset RA.
1732 - Fix #598: Fix unbound-checkconf fatal error: module conf
1734 - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip
1738 - Fix #596: unset the RA bit when a query is blocked by an unbound
1739 RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to
1742 - Fix to add test for rpz-signal-nxdomain-ra.
1743 - Fix #596: only unset RA when NXDOMAIN is signalled.
1744 - Fix that RPZ does not set RD flag on replies, it should be copied
1748 - contrib/aaaa-filter-iterator.patch file renewed diff content to
1752 - Fix #591: Unbound-anchor manpage links to non-existent license file.
1755 - Add missing configure flags for optional features in the
1757 - Fix Unbound capitalization in the documentation.
1760 - Fix to pick up other class local zone information before unlock.
1763 - Allow local-data for classes other than IN to inherit a configured
1764 local-zone's type if possible, instead of defaulting to type
1768 - Add code similar to fix for ldns for tab between strings, for
1772 - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow
1774 - Fix validator debug output about DS support, print correct algorithm.
1777 - Fix compile warning for if_nametoindex on windows 64bit.
1780 - configure is set to 1.14.0, and release branch.
1783 - Fix doc/unbound.doxygen to remove obsolete tag warning.
1786 - Merge PR #511 from yan12125: Reduce unnecessary linking.
1787 - Merge PR #493 from Jaap: Fix generation of libunbound.pc.
1788 - Merge PR #555 from fobser: Allow interface names as scope-id in IPv6
1789 link-local addresses.
1790 - Merge PR #562 from Willem: Reset keepalive per new tcp session.
1791 - Merge PR #522 from sibeream: memory management violations fixed.
1792 - Merge PR #530 from Shchelk: Fix: dereferencing a null pointer.
1793 - Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared.
1794 - Fix #574: Review fixes for size allocation.
1797 - Fix to remove git tracking and ci information from release tarballs.
1798 - iana portlist update.
1801 - Merge PR #570 from rex4539: Fix typos.
1802 - Fix for #570: regen aclocal.m4, fix configure.ac for spelling.
1803 - Fix to make python module opt_list use opt_list_in.
1804 - Fix #574: unbound-checkconf reports fatal error if interface names
1806 - Fix #574: Review fixes for it.
1807 - Fix #576: [FR] UB_* error codes in unbound.h
1808 - Fix #574: Review fix for spelling.
1811 - Improve EDNS option handling, now also works for synthesised
1812 responses such as local-data and server.id CH TXT responses.
1815 - Fix for #558: fix loop in comm_point->tcp_free when a comm_point is
1817 - Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event.
1820 - Fix that forward-zone name is documented as the full name of the
1822 - Fix analyzer review failure in rpz action override code to not
1824 - Fix to remove unused code from rpz resolve client and action
1826 - Merge #565: unbound.service.in: Disable ProtectKernelTunables again.
1829 - Fix #552: Unbound assumes index.html exists on RPZ host.
1832 - Fix chaos replies to have truncation for short message lengths,
1834 - Fix to protect custom regional create against small values.
1837 - Fix to add example.conf note for outbound-msg-retry.
1840 - Implement RFC8375: Special-Use Domain 'home.arpa.'.
1843 - For crosscompile on windows, detect 64bit stackprotector library.
1844 - Fix crosscompile shell syntax.
1845 - Fix crosscompile windows to use libssp when it exists.
1846 - For the windows compile script disable gost.
1847 - Fix that on windows, use BIO_set_callback_ex instead of deprecated
1849 - Fix crosscompile script for the shared build flags.
1852 - Fix crosscompile on windows to work with openssl 3.0.0 the
1853 link with ws2_32 needs -l:libssp.a for __strcpy_chk.
1857 - Fix initialisation errors reported by gcc sanitizer.
1858 - Fix lock debug code for gcc sanitizer reports.
1859 - Fix more initialisation errors reported by gcc sanitizer.
1862 - Merged #41 from Moritz Schneider: made outbound-msg-retry
1864 - Small fixes for #41: changelog, conflicts resolved,
1868 - Fix for #41: change outbound retry to int to fix signed comparison
1870 - Fix root_anchor test to check with new icannbundle date.
1873 - Fix #538: Fix subnetcache statistics.
1876 - Fix tcp fastopen failure when disabled, try normal connect instead.
1879 - Fix #533: Negative responses get cached even when setting
1880 cache-max-negative-ttl: 1
1883 - Merge #401: RPZ triggers. This add additional RPZ triggers,
1886 are fully supported, and this now includes the tcp-only action.
1887 - Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.)
1889 - Fix the stream wait stream_wait_count_lock and http2 buffer locks
1891 - Fix RPZ locks. Do not unlock zones lock if requested and rpz find
1896 - Fix compile warning in libunbound for listen desetup routine.
1897 - Fix asynclook unit test for setup of lockchecks before log.
1900 - Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is
1902 - Fix #531: Fix: passed to proc after free.
1905 - Fix that --with-ssl can use "/usr/include/openssl11" to pass the
1907 - Fix #527: not sending quad9 cert to syslog (and may be more).
1908 - Fix sed script in ssldir split handling.
1911 - Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf()
1915 - Fix to support harden-algo-downgrade for ZONEMD dnssec checks.
1918 - Support using system-wide crypto policies.
1919 - Fix for #431: Squelch permission denied errors for udp connect,
1921 - Fix zonemd verification of key that is not in DNS but in the zone
1923 - zonemd, fix order of bogus printout string manipulation.
1926 - Merge PR #514, from ziollek: Docker environment for run tests.
1927 - For #514: generate configure.
1930 - And 1.13.2rc1 became the 1.13.2 with the fix for the python module
1932 - Add test tool readzone to .gitignore.
1933 - Merge #521: Update mini_event.c.
1934 - Merge #523: fix: free() call more than once with the same pointer.
1935 - Merge #519: Support for selective enabling tcp-upstream for
1937 - For #519: note stub-tcp-upstream and forward-tcp-upstream in
1939 - For #519: yacc and lex. And fix python bindings, and test program
1940 unbound-dnstap-socket.
1941 - For #519: fix comments for doxygen.
1942 - Fix to print error from unbound-anchor for writing to the key
1946 - Tag for 1.13.2rc1 release.
1947 - Fix #520: Unbound 1.13.2rc1 fails to build python module.
1950 - Merge PR #415 from sibeream: Use
1952 ports. (New --enable-linux-ip-local-port-range configuration option)
1953 - Bump MAX_RESTART_COUNT to 11 from 8; in relation to #438. This
1957 - In unit test use openssl set security level to allow keys in test.
1958 - Fix static analysis warnings about localzone locks that are unused.
1959 - Fix missing locks in zonemd unit test.
1960 - Fix readzone compile under debug config.
1961 - Fix out of sourcedir run of zonemd unit tests.
1962 - Fix libnettle zonemd unit test.
1963 - Fix unit test zonemd_reload for use in run_vm.
1966 - Listen to read or write events after the SSL handshake.
1970 - Merge PR #517 from dyunwei: #420 breaks the mesh reply list
1972 - Annotate assertion into error printout; we think it may be an
1974 - Fix sign comparison warning on FreeBSD.
1977 - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
1979 - Move RSA and DSA to use OpenSSL 3.0.0 API.
1980 - Move ECDSA functions to use OpenSSL 3.0.0 API.
1981 - iana portlist update.
1982 - Fix verbose printout failure in tcp reuse unit test.
1985 - Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
1987 - For #515: Fix compilation with openssl 3.0.0 beta2, lib64 dir and
1989 - Move acx_nlnetlabs.m4 to version 41, with lib64 openssl dir check.
1992 - Merge #513: Stream reuse, attempt to fix #411, #439, #469. This
1997 - Merge #512: unbound.service.in: upgrade hardening to latest
1999 - Fix readzone unknown type print for memory resize.
2002 - Fix that ldns_zone_new_frm_fp_l counts the line number for an empty
2006 - Introduce 'http-user-agent:' and 'hide-http-user-agent:' options.
2009 - Merge #510 from ndptech: Don't call a function which hasn't been
2011 - Fix for #510: in depth, use ifdefs for windows api event calls.
2012 - Fix spelling in doc/unbound.doxygen comment.
2013 - Fix spelling in localzone.h comment.
2014 - Fix unbound-control local_data and local_datas to print detailed
2016 - review fix to remove duplicate error printout.
2017 - Insert header into testcode/readzone.c, it was missing.
2018 - Fix from lint for ignored return value.
2019 - Fix for older parsers for function call in serve expired get cached.
2022 - iana portlist update.
2025 - Fix compiler warnings for #491.
2026 - Fix clang-analysis warnings for testcode/readzone.c.
2029 - Fix Wunused-result compile warnings.
2032 - Merge PR #491: Add SVCB and HTTPS types and handling according to
2033 draft-ietf-dnsop-svcb-https.
2036 - Fix #506: Python Module Seems to Leak Memory if it Experiences an
2040 - Fix up permissions on rpl data file in tests.
2041 - Fix testbound newline treatment in moment_read and tempfile write.
2042 - Fix configure grep for reuseport default for failure.
2043 - Fix compat ctime_r return value
2044 - Fix configure does not require pkg-config if not needed.
2045 - Fix unit test in the ctime_r calls for autotrust and in testbound.
2046 - Fix auth zone download on windows to unlink before rename.
2049 - Add analyzer and port compile github workflow.
2052 - Fix #503: DNS over HTTPS response truncated.
2053 - Fix warnings reported by the gcc analyzer.
2056 - Fix #495: Documentation or implementation of "verbosity" option.
2059 - Fix a number of warnings reported by the gcc analyzer.
2062 - Merge #440 by kimheino: Various fixes to contrib/unbound_munin_ file.
2065 - Fix configure nonblocking test and onmingw test to use host.
2068 - Fix #500: SPEC file in version 1.13.1 references version 1.4;
2070 - Fix contrib/unbound.spec, fixed url and comment.
2073 - Merge #486 by fobster: Make VAL_MAX_RESTART_COUNT configurable.
2074 - Generated lexer and parser for #486; updated example.conf.
2075 - Fix #413 (based on patch by k-ronny): unbound: does not compile
2076 on macOS 11.1-x86_64 host.
2077 - Use host_os instead of target_os in configure for Darwin8 build.
2080 - Fix unused variable warning when compiling with --enable-dnstap.
2083 - Merge #448 from shoeper: Update unbound-control.8.in, fix
2085 - Fix #425: Document auth-zone supports communication with DNS
2089 - Fix test for zonemd-check option.
2092 - Merge #496 from banburybill: Use build system endianness if
2094 - zonemd-check: yesno option, default no, enables the processing
2098 - Move the NSEC3 max iterations count in line with the 150 value
2101 - Fix #492: module-config respip missing in unbound.conf.5.in man
2103 - For #492: Fix font highlighting for the man page on emacs.
2106 - Test code has -q option for quiet output.
2109 - Fix for #411, #439, #469: Reset the DNS message ID when moving queries
2111 - Refactor for uniform way to produce random DNS message IDs.
2114 - Fix #489: Compile using MSYS2 MinGW 64-bit.
2117 - Fix that auth-zone zonefiles use last TTL if no TTL is specified.
2120 - Merge PR #487: ifdef RLIMIT_AS in recently added check.
2123 - Fix #485: Unbound occasionally reports broken stats.
2124 - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024.
2125 - Remove case fallthrough from deprecate-rsa-1024 code.
2128 - Fix for #367: only attempt to get the interface for queries that are no
2130 - Add more logging for out-of-memory cases.
2133 - Merge #478: Allow configuration of TCP timeout while waiting for
2135 - Fix to squelch tcp socket bind failures when the interface is gone.
2136 - Rerun flex and bison.
2139 - Fix #481: Fix comment in configuration file.
2142 - Add that log-servfail prints an IP address and more information
2146 - Fix compiler warning for signed/unsigned comparison for
2150 - Fix #474: always_null and others inside view.
2153 - Merge #470 from edevil: Allow configuration of persistent TCP
2157 - Merge #466 from FGasper: Support OpenSSLs that lack
2159 - Fix #468: OpenSSL 1.0.1 can no longer build Unbound.
2160 - Further fix for #468: detect SSL_CTX_set_alpn_protos for build with
2162 - Fix that testcode dohclient has OpenSSL initialisation calls.
2165 - Fix documentation comment for files previously residing in checkconf/.
2166 - Remove unused functions worker_handle_reply and libworker_handle_reply.
2169 - Fix that nxdomain synthesis does not happen above the stub or
2173 - Fix (increase) verbosity level for iterator error log in
2177 - Fix permission denied sendto log, squelch the log messages
2181 - rebuild configure to set EXTRALINK to libunbound.la for #460.
2184 - Fix for #411: Depth protect for crash on deleted element timeout.
2187 - Merge #460 from orbea: build: Link with the libtool archive.
2188 - Fix to stop IPv6 PMTU discovery.
2191 - Clean makedist.sh.
2194 - Fix stack-protector change to not override other CFLAGS options.
2197 - Disable the use of stack-protector for cross compiled 32-bit windows
2201 - Fix #429: Also fix end of transfer for http download of auth zones.
2204 - Fix deprecation test to work for iOS TVOS and WatchOS, it uses
2206 - Travis, fix script to fail when tasks fail.
2207 - Travis, fix warning in ubsan compile.
2208 - Fix configure Targetconfiditionals.h header check, to use compile.
2209 - Fix that cachedb does not produce empty object files when disabled.
2212 - Travis enable all tests again. Clang analyzer only a couple times,
2215 tests to allow-failure.
2216 - travis, analyzer disabled on test without debug, that does not
2221 - Fix unused-function warning when compiling with --enable-dnscrypt.
2222 - Fix for #367: fix memory leak when cannot bind to listening port.
2223 - Reformat pythonmod/pythonmod_utils.{c,h}.
2226 - Merge #449 from orbea: build: Add missing linker flags.
2227 - iana portlist update.
2228 - Comment out nonworking OSX and IOS travis tests, vm fails to start.
2229 - Fix compile error in listen_dnsport on Android.
2230 - Fix memory leak reported by asan in rpz SOA record query name.
2233 - Fix for #447: squelch connection refused tcp connection failures
2237 - Fix #441: Minimal NSEC range not accepted for top level domains.
2240 - Fix parse of LOC RR type for decimetres.
2243 - Workaround for #439: prevent loops in the reuse rbtree.
2244 - Debug output for #411 and #439: printout internal error and details.
2247 - iana portlist update.
2248 - Fix spurious errors about "Could not generate request: out of
2253 - Fix for #367: rc_ports don't have ub_sock; skip cleaning up.
2256 - Fix: Resolve interface names on control-interface too.
2259 - Merge PR #367 : DNSTAP log local address. With code from PR #365
2262 - Fix to allow rpz with wildcard that applies to all TLDs at once.
2265 - Fix #384: (1) A minor request to improve the log (2) A minor bug in one
2267 - ipsecmod: Better logging for detecting a cycle when attaching the
2271 - On startup of unbound it checks if rlimits on memory size look
2273 - Fix function documentation.
2274 - Fix unit test for added ulimit checks.
2275 - spelling fix in header.
2278 - Fix for zonemd, that domain-insecure zones work without dnssec.
2279 - Fix for zonemd, do not reject insecure result from trust anchor
2283 - Fix #431: Squelch permission denied errors for tcp connect
2285 - Fix for zonemd, that nxdomain for the chain of trust is allowed
2289 - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
2290 ZONEMD records are checked for zones loaded as auth-zone,
2292 zonemd-permissive-mode that makes it log but not fail wrong zones.
2293 With zonemd-reject-absence for an auth-zone the presence of a
2295 - Fix doxygen and pydoc warnings.
2296 - Fix #429: rpz: url: with https: broken (regression in 1.13.1).
2297 - rpz skip nsec3param records, and nicer log for unsupported actions.
2300 - Fix #422: IPv6 fallback issues when IPv6 is not properly
2302 - Fix to make tests work with support indicators set for iterator.
2303 - Fix build on Python 3.10.
2306 - Merge PR #420 from dyunwei: DOH not responsing with
2310 - Fix for Python 3.9, no longer use deprecated functions of
2315 - release 1.13.1rc2 tag on branch-1.13.1 with added changes of 2 feb.
2320 - branch-1.13.1 is created, with release-1.13.1rc1 tag.
2321 - Fix dynlibmod link on rhel8 for -ldl inclusion.
2322 - Fix windows dependency on libssp.dll because of default stack
2324 - Fix indentation of root anchor for use by windows install script.
2327 - Attempt to fix NULL keys in the reuse_tcp tree; relates to #411.
2330 - Fix for doxygen 1.8.20 compatibility.
2333 - Annotate that we ignore the return value of if_indextoname.
2334 - Fix to use correct type for label count in rpz routine.
2335 - Fix empty clause warning in config_file nsid parse.
2336 - Fix to use correct type for label count in ipdnametoaddr rpz routine.
2337 - Fix empty clause warning in edns pass for padding.
2338 - Fix fwd ancil test post script when not supported.
2341 - Merge PR #408 from fobser: Prevent a few more yacc clashes.
2342 - Merge PR #275 from Roland van Rijswijk-Deij: Add feature to return the
2343 original instead of a decrementing TTL ('serve-original-ttl')
2344 - Merge PR #355 from noloader: Make ICANN Update CA and DS Trust Anchor
2346 - Ignore cache blacklisting when trying to reply with expired data from
2350 - Fix compile of unbound-dnstap-socket without dnstap installed.
2353 - Padding of queries and responses with DNS over TLS as specified in
2357 - Fix TTL of SOA record for negative answers (localzone and
2361 - Support for RFC5001: DNS Name Server Identifier (NSID) Option
2362 with the nsid: option in unbound.conf
2365 - Fix #404: DNS query with small edns bufsize fail.
2366 - Fix declaration before statement and signed comparison warning in
2370 - Merge #402 from fobser: Implement IPv4-Embedded addresses according
2374 - Fix for #93: dynlibmodule import library is named libunbound.dll.a.
2377 - Merge #399 from xiangbao227: The lock of lruhash table should
2379 - Fix for #93: dynlibmodule link fix for Windows.
2382 - Fix #397: [Feature request] add new type always_null to local-zone
2384 - Fix so local zone types always_nodata and always_deny can be used
2388 - Merge PR #391 from fhriley: Add start_time to reply callbacks so
2390 - For #391: use struct timeval* start_time for callback information.
2391 - For #391: fix indentation.
2392 - For #391: more double casts in python start time calculation.
2393 - Add comment documentation.
2394 - Fix clang analysis warning.
2397 - Fix #379: zone loading over HTTP appears to have buffer issues.
2398 - Merge PR #395 from mptre: add missing null check.
2399 - Fix #387: client-subnet-always-forward seems to effectively bypass
2403 - Fix #385: autoconf 2.70 impacts unbound build
2404 - Merge PR #375 by fhriley: Add rpz_enable and rpz_disable commands
2405 to unbound-control.
2408 - For #376: Fix that comm point event is not double removed or double
2410 - iana portlist updated.
2413 - Fix error cases when udp-connect is set and send() returns an error
2417 - Fix #371: unbound-control timeout when Unbound is not running.
2418 - Fix to squelch permission denied and other errors from remote host,
2420 - Merge PR #335 from fobser: Sprinkle in some static to prevent
2422 - Merge PR #373 from fobser: Warning: arithmetic on a pointer to void
2424 - Fix missing prototypes in the code.
2427 - make depend.
2428 - iana portlist updated.
2431 - Fix #360: for the additionally reported TCP Fast Open makes TCP
2434 - Fix #356: deadlock when listening tcp.
2435 - Fix unbound-dnstap-socket to not use log routine from interrupt
2437 - Fix on windows to ignore connection failure on UDP, unless verbose.
2438 - Fix for #283: fix stream reuse and tcp fast open.
2439 - Fix update, with write event check with streamreuse and fastopen.
2442 - Fix #358: Squelch udp connect 'no route to host' errors on low
2446 - Fix assertion failure on double callback when iterator loses
2449 - tag for the 1.13.0rc4 release. This also became the 1.13.0
2455 - Fix compile warning for type cast in http2_submit_dns_response.
2456 - Fix when use free buffer to initialize rbtree for stream reuse.
2457 - Fix compile warnings for windows.
2458 - Fix compile warnings in rpz initialization.
2459 - Fix contrib/metrics.awk for FreeBSD awk compatibility.
2460 - tag for the 1.13.0rc3 release.
2463 - Fix to omit UDP receive errors from log, if verbosity low.
2464 These happen because of udp-connect.
2465 - For #352: contrib/metrics.awk for Prometheus style metrics output.
2466 - Fix that after failed read, the readagain cannot activate.
2467 - Clear readagain upon decommission of pending tcp structure.
2470 - with udp-connect ignore connection refused with UDP timeouts.
2471 - Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
2472 - Better fix for reuse tree comparison for is-tls sockets. Where
2474 - Remove debug commands from reuse tests.
2475 - Fix memory leak for edns client tag opcode config element.
2476 - Attempt fix for libevent state in tcp reuse cases after a packet
2478 - Fix readagain and writeagain callback functions for comm point
2480 - tag for the 1.13.0rc2 release.
2483 - Merge PR #283 : Stream reuse. This implements upstream stream
2486 - set version of main branch to 1.13.0 for upcoming release.
2487 - iana portlist updated.
2488 - Fix one port unit test for udp-connect.
2489 - tag for the 1.13.0rc1 release.
2490 - Fix crash when TLS connection is closed prematurely, when
2492 - Fix padding of struct regional for 32bit systems.
2495 - Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
2496 edns-client-string option.
2499 - Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
2501 - Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
2504 - Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
2505 - Option to toggle udp-connect, default is enabled.
2506 - Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
2508 - Further fix for it and retvalue 0 fix for it.
2511 - Fix to connect() to UDP destinations, default turned on,
2513 - Retry for interfaces with unused ports if possible.
2516 - Fix #341: fixing a possible memory leak.
2517 - Fix memory leak after fix for possible memory leak failure.
2518 - Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
2522 - In man page note that tls-cert-bundle is read before permission
2526 - Fix #333: Unbound Segmentation Fault w/ log_info Functions From
2528 - Fix that minimal-responses does not remove addresses from a priming
2532 - Fix #327: net/if.h check fails on some darwin versions; contribution by
2534 - Fix #320: potential memory corruption due to size miscomputation upton
2538 - Merge PR #228 : infra-keep-probing option to probe hosts that are
2539 down. Add infra-keep-probing: yes option. Hosts that are down are
2548 - Merge PR #324 from James Renken: Add modern X.509v3 extensions to
2549 unbound-control TLS certificates.
2550 - Fix for PR #324 to attach the x509v3 extensions to the client
2554 - local-zone regional allocations outside of chunk
2557 - Fix that http settings have colon in set_option, for
2558 http-endpoint, http-max-streams, http-query-buffer-size,
2559 http-response-buffer-size, and http-nodelay.
2560 - Fix memory leak of https port string when reading config.
2561 - Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
2562 This adds the option http-notls-downstream: yesno to change that,
2563 and the dohclient test code has the -n option.
2564 - Fix python documentation warning on functions.rst inplace_cb_reply.
2565 - Fix dnstap test to wait for log timer to see if queries are logged.
2566 - Log ip address when http session recv fails, eg. due to tls fail.
2567 - Fix to set the tcp handler event toggle flag back to default when
2569 - Clean the fix for out of order TCP processing limits on number
2573 - Fix that the out of order TCP processing does not limit the
2577 - Fix that if there are reply callbacks for the given rcode, those
2580 - Pass the comm_reply information to the inplace_cb_reply* functions
2584 - Merge PR #326 from netblue30: DoH: implement content-length
2586 - DoH content length, simplify code, remove declaration after
2590 - Fix for python reply callback to see mesh state reply_list member,
2593 - Fix that if there are on reply callbacks, those are called per
2595 - Free up auth zone parse region after use for lookup of host
2598 - Fix #323: unbound testsuite fails on mock build in systemd-nspawn
2602 - Fix dnstap socket and the chroot not applied properly to the dnstap
2604 - Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
2607 - Tag for 1.12.0 release.
2608 - Current repo is version 1.12.1 in development.
2609 - Fix #319: potential memory leak on config failure, in rpz config.
2612 - Current repo is version 1.12.0 for release. Tag for 1.12.0rc1.
2615 - Fix doh tests when not compiled in.
2616 - Add dohclient test executable to gitignore.
2617 - Fix stream_ssl, ssl_req_order and ssl_req_timeout tests for
2619 - Easier kill of unbound-dnstap-socket tool in test.
2620 - Fix memory leak of edns tags at libunbound context delete.
2621 - Fix double loopexit for unbound-dnstap-socket after sigterm.
2624 - DNS Flag Day 2020: change edns-buffer-size default to 1232.
2627 - Fix unit test for dnstap changes, so that it waits for the timer.
2630 - Fix #305: dnstap logging significantly affects unbound performance
2632 - Fix #305: only wake up thread when threshold reached.
2633 - Fix to ifdef fptr wlist item for dnstap.
2636 - Fix edns-client-tags get_option typo
2637 - Add edns-client-tag-opcode option
2638 - Use inclusive language in configuration
2641 - Fix #304: dnstap logging not recovering after dnstap process restarts
2644 - Merge PR #311 by luismerino: Dynlibmod leak.
2645 - Error message is logged for dynlibmod malloc failures.
2646 - iana portlist updated.
2649 - Fix that prefer-ip4 and prefer-ip6 can be get and set with
2650 unbound-control, with libunbound and the unbound-checkconf option
2652 - iana portlist updated.
2655 - Introduce test for statistics.
2658 - Spelling fix.
2661 - Remove x file mode on ipset/ipset.c and h files.
2664 - Fix num.expired statistics output.
2667 - Merge PR #293: Add missing prototype. Also refactor to use the new
2669 - Refactor to use sock_strerr shorthand function.
2670 - Fix #296: systemd nss-lookup.target is reached before unbound can
2674 - Similar to NSD PR#113, implement that interface names can be used,
2677 - Review fix, doxygen and assign null in case of error free.
2680 - Update documentation in python example code.
2683 - Fix that dnstap reconnects do not spam the log with the repeated
2686 - Fix to apply chroot to dnstap-socket-path, if chroot is enabled.
2687 - Change configure to use EVP_sha256 instead of HMAC_Update for
2688 openssl-3.0.0.
2691 - Fix stats double count issue (#289).
2694 - Create and init edns tags data for libunbound.
2697 - Merge (modified) PR #277, use EVP_MAC_CTX_set_params if available,
2701 - Fix #287: doc typo: "Additionaly".
2702 - Rerun autoconf
2705 - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound.
2711 - contrib/aaaa-filter-iterator.patch file renewed diff content to
2715 - Merge PR #272: Add EDNS client tag functionality.
2718 - Improve error log message when inserting rpz RR.
2719 - Merge PR #280, Make tvOS & watchOS checks verify truthiness as well as
2723 - Fix mini_event.h on OpenBSD cannot find fd_set.
2726 - Fix doxygen comment for no ssl for tls session ticket key callback
2730 - Merge PR #268, draft-ietf-dnsop-serve-stale-10 has become RFC 8767 on
2734 - Merge PR #269, Fix python module len() implementations, by Torbjörn
2738 - branch now named 1.11.1. 1.11.0rc1 became the 1.11.0 release.
2739 - Merge PR #270 from cgzones: munin plugin: always exit 0 in autoconf
2742 - Fix streamtcp to print packet data to stdout. This makes the
2744 - Fix contrib/fastrpz.patch to apply cleanly. It fixes for changes
2747 - branch now named 1.11.0 and 1.11.0rc1 tag.
2750 - Fix libnettle compile for session ticket key callback function
2752 - Fix lock dependency cycle in rpz zone config setup.
2755 - Merge PR #234 - Ensure proper alignment of cmsg buffers by Jérémie
2756 Courrèges-Anglas.
2757 - Fix PR #234 log_assert sizeof to use union buffer.
2760 - Fix check conf test for referencing installation paths.
2761 - Fix unused variable warning for clang analyzer.
2764 - Introduce 'include-toplevel:' configuration option.
2767 - Add bidirectional frame streams support.
2770 - Fix add missing DSA header, for compilation without deprecated
2772 - Fix to use SSL_CTX_set_tlsext_ticket_key_evp_cb in OpenSSL
2773 3.0.0-alpha4.
2774 - Longer keys for the test set, this avoids weak crypto errors.
2777 - Fix #259: Fix unbound-checkconf does not check view existence.
2778 unbound-checkconf checks access-control-view, access-control-tags,
2779 access-control-tag-actions and access-control-tag-datas.
2780 - Fix offset of error printout for access-control-tag-datas.
2781 - Review fixes for checkconf #259 change.
2784 - run_vm cleanup better and removes trailing slash on single argument.
2787 - Move reply list clean for serve expired mesh callback to after
2789 - Also move reply list clean for mesh callbacks to the scrip callback
2791 - Fix for mesh accounting if the reply list already empty to begin
2793 - Fix for mesh accounting when rpz decides to drop a reply with a
2795 - Review fix for number of detached states due to use of variable
2797 - Fix tcp req info drop due to size call into mesh accounting
2801 - iana portlist updated.
2802 - doxygen file comments for dynlibmodule.
2805 - Fix default explanation in man page for qname-minimisation-strict.
2806 - Fix display of event loop method with libev.
2809 - Mention tls name possible when tls is enabled for stub-addr in the
2813 - Merge PR #241 by Robert Edmonds: contrib/libunbound.pc.in: Do not use
2817 - Update contrib/aaaa-filter-iterator.patch for the recent
2821 - Fix for integer overflow when printing RDF_TYPE_TIME.
2824 - CVE-2020-12662 Unbound can be tricked into amplifying an incoming
2826 - CVE-2020-12663 Malformed answers from upstream name servers can be
2828 - Release 1.10.1 is 1.10.0 with fixes, code repository continues,
2831 - For PR #93: windows compile warnings removal
2832 - windows compile warnings removal for ip dscp option code.
2833 - For PR #93: unit test for dynlib module.
2836 - For PR #93: dynlibmod can handle reloads and deinit and inits again,
2839 to allow one dynlibmod instance by unbound-checkconf.
2840 - For PR #93: checkconf allows multiple dynlib in module-config, for
2842 - For PR #93: checkconf allows python dynlib in module-config, for
2844 - For PR #93: man page spelling reference fix.
2845 - For PR #93: fix link of other executables for dynlibmod dependency.
2848 - Merge PR #93: Add dynamic library support.
2849 - Fixed conflicts for PR #93 and make configure, yacc, lex.
2850 - For PR #93: Fix warnings for dynlibmodule.
2853 - Cache ECS answers with longest scope of CNAME chain.
2856 - Explicitly use 'rrset-roundrobin: no' for test cases.
2859 - Merge #225 from akhait: KSK-2010 has been revoked. It removes the
2860 KSK-2010 from the default list in unbound-anchor, now that the
2861 revocation period is over. KSK-2017 is the only trust anchor in
2865 - Change default value for 'rrset-roundrobin' to yes.
2866 - Fix tests for new rrset-roundrobin default.
2869 - Fix #222: --enable-rpath, fails to rpath python lib.
2870 - Fix for count of reply states in the mesh.
2871 - Remove unneeded was_mesh_reply check.
2874 - Add SNI support on more TLS connections (fixes #193).
2875 - Add SNI support to unbound-anchor.
2878 - Add doxygen documentation for DSCP.
2881 - Fix help return code in unbound-control-setup script.
2882 - Fix for posix shell syntax for trap in nsd-control-setup.
2883 - Fix for posix shell syntax for trap in run_msg.sh test script.
2886 - Fix #220: auth-zone section in config may lead to segfault.
2889 - Merge PR #214 from gearnode: unbound-control-setup recreate
2890 certificates. With the -r option the certificates are created
2894 - Keep track of number of timeouts. Use this counter to determine if
2898 - More documentation for redis-expire-records option.
2901 - Merge PR #206: Redis TTL, by Talkabout.
2904 - Merge PR #207: Clarify if-automatic listens on 0.0.0.0 and ::
2905 - Merge PR #208: Fix uncached CLIENT_RESPONSE'es on stateful
2909 - Merge PR #203 from noloader: Update README-Travis.md with current
2913 - Make unbound-control error returned on missing domain name more user
2917 - Fix RPZ concurrency issue when using auth_zone_reload.
2920 - Merge PR #201 from noloader: Fix OpenSSL cross-compaile warnings.
2921 - Fix on #201.
2924 - Merge PR #200 from yarikk: add ip-dscp option to specify the DSCP
2926 - Fixes on #200.
2927 - Travis fix for ios by omitting tools from install.
2930 - Fix compile on Solaris for unbound-checkconf.
2933 - Merge PR #198 from fobser: Declare lz_enter_rr_into_zone() static, it's
2937 - Merge PR #197 from fobser: Make log_ident_revert_to_default() a
2941 - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
2942 - Fix #158: open tls-session-ticket-keys as binary, for Windows. By
2944 - Merge PR#134, Allow the kernel to provide random source ports. By
2946 - Log warning when using outgoing-port-permit and outgoing-port-avoid
2948 - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
2949 - Fix .travis.yml error, missing 'env' option.
2952 - Fix #192: In the unbound-checkconf tool, the module config of
2957 - Fix compile of test tools without protobuf.
2960 - Add check to make sure RPZ records are subdomains of configured
2964 - Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
2966 - Changelog entry for (Fix #189, Merge PR #190).
2969 - Fix #188: unbound-control.c:882:6: error: 'execlp' is
2973 - Merge PR #186, fix #183: Fix unrecognized 'echo -n' option on OS X, by
2977 - Fix PR #182 from noloader: Add iOS testing to Travis.
2980 - Update README-Travis.md (from PR #179), by Jeffrey Walton.
2983 - Merge PR #181 from noloader: Fix OpenSSL -pie warning on Android.
2986 - Merge PR #180 from noloader: Avoid calling exit in Travis script.
2989 - Upgrade config.guess(2020-01-01) and config.sub(2020-01-01).
2992 - Fix #175, Merge PR #176: fix link error when OpenSSL is configured
2993 with no-engine, thanks noloader.
2996 - Fix compiler warning in dns64/dns64.c
2997 - Merge PR #174: Add Android to Travis testing, by noloader.
2998 - Move android build scripts to contrib/ and allow android tests to fail.
3001 - Fix #177: dnstap does not build on macOS.
3004 - Merge PR #172: Add IBM s390x arch for testing, by noloader.
3007 - Merge PR #173: updated makedist.sh for config.guess and
3009 - Merge PR #164: Framestreams, this branch implements dnstap
3017 The make unbound-dnstap-socket builds a debug tool,
3018 unbound-dnstap-socket. It can listen, accept multiple DNSTAP
3026 in the man page and example config file. dnstap-ip with IP
3027 address of server for TCP or TLS use. dnstap-tls to turn
3028 on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle,
3029 dnstap-tls-client-key-file and dnstap-tls-client-cert-file
3034 - Merge PR #171: Add additional compilers and platforms to Travis
3038 - Fix #169: Fix warning for daemon/remote.c output may be truncated
3040 - Fix #170: Fix gcc undefined sanitizer signed integer overflow
3042 - Fix more undefined sanitizer issues, in respip copy_rrset null
3046 - iana portlist updated.
3049 - Fix #165: Add prefer-ip4: yesno config option to prefer ipv4 for
3054 - Merge PR #166: Fix typo in unbound.service.in, by glitsj16.
3057 - Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for
3059 - master branch has 1.10.1 version.
3062 - protect X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS with ifdef for
3066 - changelog point where the tag for 1.10.0rc2 release is. And with
3070 - Add respip to supported module-config options in unbound-checkconf.
3073 - Remove unused variable.
3076 - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List
3077 in RPZ-Format, contributed by Andreas Schulze.
3080 - Fix spelling in unbound.conf.5.in.
3081 - Stop unbound-checkconf from insisting that auth-zone and rpz
3085 - tag for 1.10.0rc1 release.
3088 - Fix with libnettle make test with dsa disabled.
3089 - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale
3091 - Fix to clean memory leak of respip_addr.lock when ip_tree deleted.
3092 - Fix compile warning when threads disabled.
3093 - updated version number to 1.10.0.
3096 - Document 'ub_result.was_ratelimited' in libunbound.
3097 - Fix use after free on log-identity after a reload; Fixes #163.
3100 - Fix num_reply_states and num_detached_states counting with
3102 - Cleaner code in mesh_serve_expired_lookup.
3103 - Document in unbound.conf manpage that configuration clauses can be
3107 - Fix num_reply_addr counting in mesh and tcp drop due to size
3109 - Fix to create and destroy rpz_lock in auth_zones structure.
3110 - Fix to lock zone before adding rpz qname trigger.
3111 - Fix to lock and release once in mesh_serve_expired_lookup.
3112 - Fix to put braces around empty if body when threading is disabled.
3115 - Added serve-stale functionality as described in
3116 draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used
3118 - Updated cachedb to honor `serve-expired-ttl`; Fixes #107.
3119 - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies
3120 come with a configurable TTL value (`serve-expired-reply-ttl`).
3121 - Fixed stats when replying with cached, cname-aliased records.
3122 - Added missing default values for redis cachedb backend.
3125 - Add assertion to please static analyzer
3128 - Fix fclose on error in TLS session ticket code.
3131 - Fix memory leak in error condition remote.c
3132 - Fix double free in error condition view.c
3133 - Fix memory leak in do_auth_zone_transfer on success
3134 - Merge RPZ support into master. Only QNAME and Response IP triggers are
3136 - Stop working on socket when socket() call returns an error.
3137 - Check malloc return values in TLS session ticket code
3140 - Fix subnet tests for disabled DSA algorithm by default.
3141 - Update contrib/fastrpz.patch for clean diff with current code.
3142 - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds
3145 - updated .gitignore for added contrib file.
3146 - Add build rule for ipset to Makefile
3147 - Add getentropy_freebsd.o to Makefile dependencies.
3150 - Merge PR#156 from Alexander Berkes; Added unbound-control
3154 - Fix #157: undefined reference to `htobe64'.
3157 - Merge PR#147; change rfc reference for reserved top level dns names.
3160 - iana portlist updated.
3161 - Fix to silence the tls handshake errors for broken pipe and reset
3165 - Merge PR#154; Allow use of libbsd functions with configure option
3166 --with-libbsd. By Robert Edmonds and Steven Chamberlain.
3167 - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai.
3170 - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes
3172 - Fix #153: Disable validation for DSA algorithms. RFC 8624
3176 - Merge PR#150 from Frzk: Systemd unit without chroot. It add
3182 - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests,
3183 because dnscrypt-proxy (2.0.36) does not support the test setup
3186 - Fix crash after reload where a stats lookup could reference old key
3188 - Fix for memory leak when edns subnet config options are read when
3190 - Fix auth zone support for NSEC3 records without salt.
3193 - Fix the relationship between serve-expired and prefetch options,
3195 - Fix unreachable code in ssl set options code.
3198 - Fix #138: stop binding pidfile inside chroot dir in systemd service
3202 - Fix 'make test' to work for --disable-sha1 configure option.
3203 - Fix out-of-bounds null-byte write in sldns_bget_token_par while
3204 parsing type WKS, reported by Luis Merino from X41 D-Sec.
3205 - Updated sldns_bget_token_par fix for also space for the zero
3209 - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD.
3212 - Changes to compat/getentropy_solaris.c for,
3217 - Merge #135 from Florian Obser: Use passed in neg and key cache
3218 if non-NULL.
3219 - Fix #140: Document slave not downloading new zonefile upon update.
3222 - Update mailing list URL.
3225 - Master is 1.9.7 in development.
3226 - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by
3230 - Fix to make auth zone IXFR to fallback to AXFR if a single
3234 - Fix ipsecmod compile.
3235 - Fix Makefile.in for ipset module compile, from Adi Prasaja.
3236 - release-1.9.6 tag, which became the 1.9.6 release
3239 - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1
3240 replacements for unbound-fuzzme.c that gets created after applying
3241 the contrib/unbound-fuzzme.patch. They are contributed by
3242 Eric Sesterhenn from X41 D-Sec.
3243 - tag for 1.9.6rc1.
3246 - Fix lock type for memory purify log lock deletion.
3247 - Fix testbound for alloccheck runs, memory purify and lock checks.
3248 - update contrib/fastrpz.patch to apply more cleanly.
3249 - Fix Make Test Fails when Configured With --enable-alloc-nonregional,
3250 reported by X41 D-Sec.
3253 - Merge pull request #124 from rmetrich: Changed log lock
3255 - Fix text around serial arithmatic used for RRSIG times to refer
3257 - Fix Assert Causing DoS in synth_cname(),
3258 reported by X41 D-Sec.
3259 - Fix similar code in auth_zone synth cname to add the extra checks.
3260 - Fix Assert Causing DoS in dname_pkt_copy(),
3261 reported by X41 D-Sec.
3262 - Fix OOB Read in sldns_wire2str_dname_scan(),
3263 reported by X41 D-Sec.
3264 - Fix Out of Bounds Write in sldns_str2wire_str_buf(),
3265 reported by X41 D-Sec.
3266 - Fix Out of Bounds Write in sldns_b64_pton(),
3268 reported by X41 D-Sec.
3269 - Fix Insufficient Handling of Compressed Names in dname_pkt_copy(),
3270 reported by X41 D-Sec.
3271 - Fix Out of Bound Write Compressed Names in rdata_copy(),
3272 reported by X41 D-Sec.
3273 - Fix Hang in sldns_wire2str_pkt_scan(),
3274 reported by X41 D-Sec.
3276 - Fix snprintf() supports the n-specifier,
3277 reported by X41 D-Sec.
3278 - Fix Bad Indentation, in dnscrypt.c,
3279 reported by X41 D-Sec.
3280 - Fix Client NONCE Generation used for Server NONCE,
3281 reported by X41 D-Sec.
3282 - Fix compile error in dnscrypt.
3283 - Fix _vfixed not Used, removed from sbuffer code,
3284 reported by X41 D-Sec.
3285 - Fix Hardcoded Constant, reported by X41 D-Sec.
3286 - make depend
3289 - Merge pull request #122 from he32: In tcp_callback_writer(),
3290 don't disable time-out when changing to read.
3293 - Fix compiler warnings.
3296 - Fix dname loop maximum, reported by Eric Sesterhenn from X41 D-Sec.
3297 - Add make distclean that removes everything configure produced,
3298 and make maintainer-clean that removes bison and flex output.
3301 - Fix Out of Bounds Read in rrinternal_get_owner(),
3302 reported by X41 D-Sec.
3303 - Fix Race Condition in autr_tp_create(),
3304 reported by X41 D-Sec.
3305 - Fix Shared Memory World Writeable,
3306 reported by X41 D-Sec.
3307 - Adjust unbound-control to make stats_shm a read only operation.
3308 - Fix Weak Entropy Used For Nettle,
3309 reported by X41 D-Sec.
3310 - Fix Randomness Error not Handled Properly,
3311 reported by X41 D-Sec.
3312 - Fix Out-of-Bounds Read in dname_valid(),
3313 reported by X41 D-Sec.
3314 - Fix Config Injection in create_unbound_ad_servers.sh,
3315 reported by X41 D-Sec.
3316 - Fix Local Memory Leak in cachedb_init(),
3317 reported by X41 D-Sec.
3318 - Fix Integer Underflow in Regional Allocator,
3319 reported by X41 D-Sec.
3320 - Upgrade compat/getentropy_linux.c to version 1.46 from OpenBSD.
3321 - Synchronize compat/getentropy_win.c with version 1.5 from
3323 - Upgrade compat/getentropy_solaris.c to version 1.13 from OpenBSD.
3324 - Upgrade compat/getentropy_osx.c to version 1.12 from OpenBSD.
3325 - Changes to compat/getentropy files for,
3331 - Fixed Compat Code Diverging from Upstream, reported by X41 D-Sec.
3332 - Fix compile with --enable-alloc-checks, reported by X41 D-Sec.
3333 - Fix Terminating Quotes not Written, reported by X41 D-Sec.
3334 - Fix Useless memset() in validator, reported by X41 D-Sec.
3335 - Fix Unrequired Checks, reported by X41 D-Sec.
3336 - Fix Enum Name not Used, reported by X41 D-Sec.
3337 - Fix NULL Pointer Dereference via Control Port,
3338 reported by X41 D-Sec.
3339 - Fix Bad Randomness in Seed, reported by X41 D-Sec.
3340 - Fix python examples/calc.py for eval, reported by X41 D-Sec.
3341 - Fix comments for doxygen in dns64.
3344 - Fix CVE-2019-18934, shell execution in ipsecmod.
3345 - 1.9.5 is 1.9.4 with bugfix, trunk is 1.9.6 in development.
3346 - Fix authzone printout buffer length check.
3347 - Fixes to please lint checks.
3348 - Fix Integer Overflow in Regional Allocator,
3349 reported by X41 D-Sec.
3350 - Fix Unchecked NULL Pointer in dns64_inform_super()
3351 and ipsecmod_new(), reported by X41 D-Sec.
3352 - Fix Out-of-bounds Read in rr_comment_dnskey(),
3353 reported by X41 D-Sec.
3354 - Fix Integer Overflows in Size Calculations,
3355 reported by X41 D-Sec.
3356 - Fix Integer Overflow to Buffer Overflow in
3357 sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
3358 - Fix Out of Bounds Read in sldns_str2wire_dname(),
3359 reported by X41 D-Sec.
3360 - Fix Out of Bounds Write in sldns_bget_token_par(),
3361 reported by X41 D-Sec.
3364 - In unbound-host use separate variable for get_option to please
3366 - update to bison output of 3.4.1 in code repository.
3367 - Provide a prototype for compat malloc to remove compile warning.
3368 - Portable grep usage for reuseport configure test.
3369 - Check return type of HMAC_Init_ex for openssl 0.9.8.
3370 - gitignore .source tempfile used for compatible make.
3373 - iana portlist updated.
3374 - contrib/fastrpz.patch updated to apply for current code.
3375 - fixes for splint cleanliness, long vs int in SSL set_mode.
3378 - Fix #109: check number of arguments for stdin-pipes in
3379 unbound-control and fail if too many arguments.
3380 - Merge #102 from jrtc27: Add getentropy emulation for FreeBSD.
3383 - Fix #99: Memory leak in ub_ctx (event_base will never be freed).
3386 - Add new configure option `--enable-fully-static` to enable full static
3390 - Merge #97: manpage: Add missing word on unbound.conf,
3394 - drop-tld.diff: adds option drop-tld: yesno that drops 2 label
3396 patch -p1 < contrib/drop-tld.diff and compile.
3402 - Add doxygen comments to unbound-anchor source address code, in #86.
3405 - Merge #90 from vcunat: fix build with nettle-3.5.
3406 - Merge 1.9.4 release with fix for vulnerability CVE-2019-16866.
3407 - Continue with development of 1.9.5.
3408 - Merge #86 from psquarejho: Added -b source address option to
3409 smallapp/unbound-anchor.c, from Lukas Wunner.
3412 - Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
3416 - The unbound.conf includes are sorted ascending, for include
3420 - Merge #85 for #84 from sam-lunt: Add kill capability to systemd
3424 - Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
3426 - Merge #81 from Maryse47: Consistently use /dev/urandom instead
3428 - Merge #83 from Maryse47: contrib/unbound.service.in: do not fork
3432 - Fix #78: Memory leak in outside_network.c.
3433 - Merge pull request #76 from Maryse47: Improvements and fixes for
3435 - oss-fuzz badge on README.md.
3436 - Fix fix for #78 to also free service callback struct.
3437 - Fix for oss-fuzz build warning.
3438 - Fix wrong response ttl for prepended short CNAME ttls, this would
3439 create a wrong zero_ttl response count with serve-expired enabled.
3440 - Merge #80 from stasic: Improve wording in man page.
3443 - Use explicit bzero for wiping clear buffer of hash in cachedb,
3444 reported by Eric Sesterhenn from X41 D-Sec.
3447 - Fix #72: configure --with-syslog-facility=LOCAL0-7 with default
3452 - Fix #71: fix openssl error squelch commit compilation error.
3455 - squelch DNS over TLS errors 'ssl handshake failed crypto error'
3461 - ipset module #28: log that an address is added, when verbosity high.
3462 - ipset: refactor long routine into three smaller ones.
3463 - updated Makefile dependencies.
3466 - Fix contrib/fastrpz.patch asprintf return value checks.
3469 - Fix that pkg-config is setup before --enable-systemd needs it.
3470 - 1.9.3rc2 release candidate tag. And this became the 1.9.3 release.
3474 - Fix log_dns_msg to log irrespective of minimal responses config.
3477 - Document limitation of pidfile removal outside of chroot directory.
3480 - Fix unittest valgrind false positive uninitialised value report,
3481 where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
3485 valgrinds --expensive-definedness-checks=yes can stop this false
3487 - Please doxygen's parser for "@" occurrence in doxygen comment.
3488 - Fixup contrib/fastrpz.patch
3489 - Remove warning about unknown cast-function-type warning pragma.
3492 - iana portlist updated.
3493 - Fix autotrust temp file uniqueness windows compile.
3494 - avoid warning about upcast on 32bit systems for autotrust.
3495 - escape commandline contents for -V.
3496 - Fix character buffer size in ub_ctx_hosts.
3497 - 1.9.3rc1 release candidate tag.
3498 - Option -V prints if TCP fastopen is available.
3501 - Fix #59, when compiled with systemd support check that we can properly
3505 - Generate configlexer with newer flex.
3506 - Fix warning for unused variable for compilation without systemd.
3509 - Introduce `-V` option to print the version number and build options.
3511 are now moved from `-h` to `-V` as well for consistency.
3512 - PACKAGE_BUGREPORT now also includes link to GitHub issues.
3515 - For #52 #53, second context does not close logfile override.
3516 - Fix #52 #53, fix for example fail program.
3517 - Fix to return after failed auth zone http chunk write.
3518 - Fix to remove unused test for task_probe existance.
3519 - Fix to timeval_add for remaining second in microseconds.
3520 - Check repinfo in worker_handle_request, if null, drop it.
3523 - Add verbose log message when auth zone file is written, at level 4.
3524 - Add hex print of trust anchor pointer to trust anchor file temp
3528 - Fix question section mismatch in local zone redirect.
3531 - Fix #49: Set no renegotiation on the SSL context to stop client
3535 - Fix #48: Unbound returns additional records on NODATA response,
3536 if minimal-responses is enabled, also the additional for negative
3540 - Fix in respip addrtree selection. Absence of addr_tree_init_parents()
3545 - Fix for possible assertion failure when answering respip CNAME from
3549 - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
3550 when do-not-query-localhost is turned on, or at default on,
3551 unbound-checkconf prints a warning if it is found in forward-addr or
3552 stub-addr statements.
3555 - Fix memleak in unit test, reported from the clang 8.0 static analyzer.
3558 - PR #28: IPSet module, by Kevin Chou. Created a module to support
3560 Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
3561 - Fix to omit RRSIGs from addition to the ipset.
3562 - Fix to make unbound-control with ipset, remove unused variable,
3565 - make depend
3566 - Added documentation to the ipset files (for doxygen output).
3567 - Merge PR #6: Python module: support multiple instances
3568 - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
3569 - Merge PR #4: Python module: assign something useful to the
3570 per-query data store 'qdata'
3571 - Fix python dict reference and double free in config.
3574 - Master contains version 1.9.3 in development.
3575 - Fix #39: In libunbound, leftover logfile is close()d unpredictably.
3576 - Fix for #24: Fix abort due to scan of auth zone masters using old
3580 - Fix another spoolbuf storage code point, in prefetch.
3581 - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release
3585 - Fix that fixes the Fix that spoolbuf is not used to store tcp
3588 - 1.9.2rc2 release candidate tag.
3591 - 1.9.2rc1 release candidate tag.
3594 - iana portlist updated.
3597 - Fix to guard _OPENBSD_SOURCE from redefinition.
3600 - Fix to define _OPENBSD_SOURCE to get reallocarray on NetBSD.
3601 - gitignore config.h.in~.
3604 - Fix double file close in tcp pipelined response code.
3607 - Fix that spoolbuf is not used to store tcp pipelined response
3611 - Note that so-reuseport at extreme load is better turned off,
3615 - Fix #31: swig 4.0 and python module.
3618 - Squelch log messages from tcp send about connection reset by peer.
3621 - Attempt to fix malformed tcp response.
3624 - Revert fix for oss-fuzz, error is in that build script that
3629 - Attempt to fix build failure in oss-fuzz because of reallocarray.
3630 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14648.
3634 - Fix edns-subnet locks, in error cases the lock was not unlocked.
3635 - Fix doxygen output error on readme markdown vignettes.
3638 - Fix #29: Solaris 11.3 and missing symbols be64toh, htobe64.
3639 - Fix #30: AddressSanitizer finding in lookup3.c. This sets the
3646 - contrib/fastrpz.patch updated for code changes, and with git diff.
3647 - Fix .gitignore, add pythonmod and dnstap generated files.
3651 - Update makedist for git.
3652 - Nicer travis output for clang analysis.
3653 - PR #16: XoT support, AXFR over TLS, turn it on with
3654 master: <ip>#<authname> in unbound.conf. This uses TLS to
3658 - Fix wrong query name in local zone redirect answers with a CNAME,
3662 - Scrub RRs from answer section when reusing NXDOMAIN message for
3664 - For harden-below-nxdomain: do not consider a name to be non-exitent
3668 - travis build file.
3671 - Better braces in if statement in TCP fastopen code.
3672 - iana portlist updated.
3675 - Fix tls write event for read state change to re-call SSL_write and
3679 - Update python documentation for init_standard().
3680 - Typos.
3683 - Fix that auth zone uses correct network type for sockets for
3686 - Fix that auth zone fails over to next master for timeout in tcp.
3687 - Squelch SSL read and write connection reset by peer and broken pipe
3691 - Fix to use event_assign with libevent for thread-safety.
3692 - verbose information about auth zone lookup process, also lookup
3694 - Fix #17: Add python module example from Jan Janak, that is a
3699 - Fix to wipe ssl ticket keys from memory with explicit_bzero,
3703 - Fix to reinit event structure for accepted TCP (and TLS) sockets.
3706 - Fix spelling error in log output for event method.
3709 - Move goto label in answer_from_cache to the end of the function
3711 - Fix auth-zone NSEC3 response for wildcard nodata answers,
3715 - Fix auth-zone NSEC3 response for empty nonterminals with exact
3717 - Fix for out of bounds integers, thanks to OSTIF audit. It is in
3719 - Fix for auth zone nsec3 ent fix for wildcard nodata.
3722 - Fix that tls-session-ticket-keys: "" on its own in unbound.conf
3724 - Fix crash if tls-servic-pem not filled in when necessary.
3727 - Fix #4240: Fix whitespace cleanup in example.conf.
3730 - add type CAA to libpyunbound (accessing libunbound from python).
3733 - Add log message, at verbosity 4, that says the query is encrypted
3735 - Fix #4239: set NOTIMPL when deny-any is enabled, for RFC8482.
3738 - Fix for #4233: guard use of NDEBUG, so that it can be passed in
3742 - Tag release 1.9.1rc1. Which became 1.9.1 on 12 March 2019. Trunk
3746 - output forwarder log in ssl_req_order test.
3749 - Remove memory leak on pythonmod python2 script file init.
3750 - Remove swig gcc8 python function cast warnings, they are ignored.
3751 - Print correct module that failed when module-config is wrong.
3754 - Fix #4229: Unbound man pages lack information, about access-control
3756 - Fix #14: contrib/unbound.init: Fix wrong comparison judgment
3758 - Fix for python module on Windows, fix fopen.
3761 - Fix #4227: pair event del and add for libevent for tcp_req_info.
3764 - Fix the error for unknown module in module-config is understandable,
3766 - In example.conf explain where to put cachedb module in module-config.
3767 - In man page and example config explain that most modules have to
3768 be listed at the start of module-config.
3771 - Fix pythonmod include and sockaddr_un ifdefs for compile on
3775 - Print query name with ip_ratelimit exceeded log lines.
3776 - Spaces instead of tabs in that log message.
3777 - Print query name and IP address when domain rate limit exceeded.
3780 - Fix capsforid canonical sort qsort callback.
3783 - Note default for module-config in man page.
3784 - Fix recursion lame test for qname minimisation asked queries,
3786 - Fix #13: Remove left-over requirements on OpenSSL >= 1.1.0 for
3788 - make depend, with newer gcc, nicer layout.
3791 - Fix #4206: OpenSSL 1.0.2 hostname verification for FreeBSD 11.2.
3792 - Fix that qname minimisation does not skip a label when missing
3794 - Fix #4225: clients seem to erroneously receive no answer with
3795 DNS-over-TLS and qname-minimisation.
3798 - Fix that log-replies prints the correct name for local-alias
3799 names, for names that have a CNAME in local-data configuration.
3801 - Add local-zone type inform_redirect, which logs like type inform,
3803 - Perform canonical sort for 0x20 capsforid compare of replies,
3808 - Set ub_ctx_set_tls call signature in ltrace config file for
3809 libunbound in contrib/libunbound.so.conf.
3810 - improve documentation for tls-service-key and forward-first.
3811 - #10: fixed pkg-config operations, PKG_PROG_PKG_CONFIG moved out of
3813 - #9: For openssl 1.0.2 use the CRYPTO_THREADID locking callbacks,
3816 - #8: Fix OpenSSL without ENGINE support compilation.
3817 - Wipe TLS session key data from memory on exit.
3820 - Fix case in which query timeout can result in marking delegation
3824 - Fix spelling of tls-ciphers in example.conf.in.
3825 - Fix #4224: auth_xfr_notify.rpl test broken due to typo
3826 - Fix locking for libunbound context setup with broken port config.
3829 - ub_ctx_set_tls call for libunbound that enables DoT for the machines
3831 - Set build system for added call in the libunbound API.
3832 - List example config for root zone copy locally hosted with auth-zone
3833 as suggested from draft-ietf-dnsop-7706-bis-02. But with updated
3835 - set version to 1.9.0 for release. And this was released with the
3836 spelling for tls-ciphers fix as 1.9.0 on Feb 5. Trunk has 1.9.1 in
3840 - Fix that tcp for auth zone and outgoing does not remove and
3842 - updated contrib/fastrpz.patch to cleanly diff.
3843 - no lock when threads disabled in tcp request buffer count.
3844 - remove compile warnings from libnettle compile.
3845 - output of newer lex 2.6.1 and bison 3.0.5.
3848 - Newer aclocal and libtoolize used for generating configure scripts,
3850 - Fix unit test for python 3.7 new keyword 'async'.
3851 - clang analysis fixes, assert arc4random buffer in init,
3859 - Patch from Florian Obser fixes some compiler warnings:
3879 - Moved includes and make depend.
3882 - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
3883 options for unbound.conf.
3884 - Fixes for the patch, and man page entry.
3885 - Fix configure to detect SSL_CTX_set_ciphersuites, for better
3887 - Patch for TLS session resumption from Manabu Sonoda,
3888 enable with tls-session-ticket-keys in unbound.conf.
3889 - Fixes for patch (includes, declarations, warnings). Free at end
3892 - Fix for IXFR fallback to reset counter when IXFR does not timeout.
3895 - Fix space calculation for tcp req buffer size.
3896 - Doc for stream-wait-size and unit test.
3897 - unbound-control stats has mem.streamwait that counts TCP and TLS
3899 - Fix for #4219: secondaries not updated after serial change, unbound
3901 - Fix that auth zone after IXFR fallback tries the same master.
3904 - Fix tcp idle timeout test, for difference in the tcp reply code.
3905 - Unit test for tcp request reorder and timeouts.
3906 - Unit tests for ssl out of order processing.
3907 - Fix that multiple dns fragments can be carried in one TLS frame.
3908 - Add stream-wait-size: 4m config option to limit the maximum
3913 - For caps-for-id fallback, use the whitelist to avoid timeout
3915 - increase mesh max activation count for capsforid long fetches.
3918 - Get ready for the DNS flag day: remove EDNS lame procedure, do not
3919 re-query without EDNS after timeout.
3922 - In the out of order processing, reset byte count for (potential)
3924 - Review fixes in out of order processing.
3927 - streamtcp option -a send queries consecutively and prints answers
3929 - Fix for out of order processing administration quit cleanup.
3930 - unit test for tcp out of order processing.
3933 - Initial commit for out-of-order processing for TCP and TLS.
3936 - Log query name for looping module errors.
3939 - Fix syntax in comment of local alias processing.
3940 - Fix NSEC3 record that is returned in wildcard replies from
3941 auth-zone zones with NSEC3 and wildcards.
3944 - On FreeBSD warn if systcl settings do not allow server TCP FASTOPEN,
3946 - Document interaction between the tls-upstream option in the server
3947 section and forward-tls-upstream option in the forward-zone sections.
3948 - Add contrib/unbound-fuzzme.patch from Jacob Hoffman-Andrews,
3952 - Fix for crash in dns64 module if response is null.
3955 - Fix config parser memory leaks.
3956 - ip-ratelimit-factor of 1 allows all traffic through, instead of the
3958 - Fix for FreeBSD port make with dnscrypt and dnstap enabled.
3959 - Fix #4206: support openssl 1.0.2 for TLS hostname verification,
3961 - Fixup openssl 1.0.2 compile
3964 - Fix dns64 allocation in wrong region for returned internal queries.
3967 - Fix icon, no ragged edges and nicer resolutions available, for eg.
3969 - cache-max-ttl also defines upperbound of initial TTL in response.
3972 - Patch for typo in unbound.conf man page.
3973 - log-tag-queryreply: yes in unbound.conf tags the log-queries and
3974 log-replies in the log file for easier log filter maintenance.
3977 - iana portlist updated.
3978 - Fix chroot auth-zone fix to remove chroot prefix.
3979 - tag for 1.8.2rc1, which became 1.8.2 on 4 dec 2018, with icon
3983 - Fix that unbound-checkconf does not complains if the config file
3985 - Refuse to start with no ports.
3986 - Remove clang analysis warnings.
3989 - Fix leak in chroot fix for auth-zone.
3990 - Fix clang analysis for outside directory build test.
3993 - Fix DNS64 to not store intermediate results in cache, this avoids
3996 - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work.
3997 - New and better fix for Fix #4193: Fix that prefetch failure does
3999 - auth-zone give SERVFAIL when expired, fallback activates when
4001 - stat count SERVFAIL downstream auth-zone queries for expired zones.
4002 - Put new logos into windows installer.
4003 - Fix windows compile for new rrset roundrobin fix.
4004 - Update contrib fastrpz patch for latest release.
4007 - Fix to not set GLOB_NOSORT so the unbound.conf include: files are
4009 - Fix #4193: Fix that prefetch failure does not overwrite valid cache
4011 - Add unbound-control view_local_datas command, like local_datas.
4012 - Fix that unbound-control can send file for view_local_datas.
4015 - With ./configure --with-pyunbound --with-pythonmodule
4018 - pythonmod logs the python error and traceback on failure.
4019 - ignore debug python module for test in doxygen output.
4020 - review fixes for python module.
4021 - Fix #4209: Crash in libunbound when called from getdns.
4022 - auth zone zonefiles can be in a chroot, the chroot directory
4024 - Fix that empty zonefile means the zonefile is not set and not used.
4025 - make depend.
4028 - Scrub NS records from NODATA responses as well.
4031 - Scrub NS records from NXDOMAIN responses to stop fragmentation
4033 - Add patch from Jan Vcelak for pythonmod,
4036 - Removed compile warnings in pythonmod sockaddr routines.
4039 - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
4040 option in unbound.conf.
4043 - Bugfix min-client-subnet-ipv6
4046 - Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
4049 - Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
4050 - Fix #4190: Please create a "ANY" deny option, adds the option
4051 deny-any: yes in unbound.conf. This responds with an empty message
4053 - Fix #4141: More randomness to rrset-roundrobin.
4054 - Fix #4132: Openness/closeness of RANGE intervals in rpl files.
4055 - Fix #4126: RTT_band too low on VSAT links with 600+ms latency,
4056 adds the option unknown-server-time-limit to unbound.conf that
4058 - remade makefile dependencies.
4059 - Fix #4152: Logs shows wrong time when using log-time-ascii: yes.
4062 - Add markdel function to ECS slabhash.
4063 - Limit ECS scope returned to client to the scope used for caching.
4064 - Make lint like previous #4154 fix.
4067 - Fix #4192: unbound-control-setup generates keys not readable by
4069 - check that the dnstap socket file can be opened and exists, print
4071 - Fix #4154: make ECS_MAX_TREESIZE configurable, with
4072 the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
4075 - Change fast-server-num default to 3.
4078 - Add fast-server-permil and fast-server-num options.
4079 - Deprecate low-rtt and low-rtt-permil options.
4082 - Squelch log of failed to tcp initiate after TCP Fastopen failure.
4085 - Squelch EADDRNOTAVAIL errors when the interface goes away,
4088 - Set default for so-reuseport to no for FreeBSD. It is enabled
4090 be configured in unbound.conf to override the default.
4091 - iana port update.
4094 - updated contrib/fastrpz.patch to apply for this version
4095 - dnscrypt.c removed sizeof to get array bounds.
4096 - Fix testlock code to set noreturn on error routine.
4097 - Remove unused variable from contrib fastrpz/rpz.c and
4099 - clang analyze test is used only when assertions are enabled.
4102 - tag for release 1.8.1rc1. Became release 1.8.1 on 8 oct, with
4106 - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL, fixes
4111 - Perform TLS SNI indication of the host that is being contacted
4115 - Fix #4149: Add SSL cleanup for tcp timeout.
4118 - Fix compile on Mac for unbound, provide explicit_bzero when libc
4120 - Fix unbound for openssl in FIPS mode, it uses the digests with
4122 - Fix that with harden-below-nxdomain and qname minisation enabled
4125 - Stop UDP to TCP failover after timeouts that causes the ping count
4128 - Fix #4156: Fix systemd service manager state change notification.
4131 - Fix seed for random backup code to use explicit zero when wiped.
4132 - exit log routine is annotated as noreturn function.
4133 - free memory leaks in config strlist and str2list insert functions.
4134 - do not move unused argv variable after getopt.
4135 - Remove unused if clause in testcode.
4136 - in testcode, free async ids, initialise array, and check for null
4139 - Free memory leak in config strlist append.
4140 - make sure nsec3 comparison salt is initialized.
4141 - unit test has clang analysis.
4142 - remove unused variable assignment from iterator scrub routine.
4143 - check for null in delegation point during iterator refetch
4145 - neater pointer cast in libunbound context quit routine.
4146 - initialize statistics totals for printout.
4147 - in authzone check that node exists before adding rrset.
4148 - in unbound-anchor, use readwrite memory BIO.
4149 - assertion in autotrust that packed rrset is formed correctly.
4150 - Fix memory leak when message parse fails partway through copy.
4151 - remove unused udpsize assignment in message encode.
4152 - nicer bio free code in unbound-anchor.
4153 - annotate exit functions with noreturn in unbound-control.
4156 - Fixed unused return value warnings in contrib/fastrpz.patch for
4158 - Fix to squelch respip warning in unit test, it is printed at
4160 - Fix spelling errors.
4161 - Fix initialisation in remote.c
4164 - 1.8.1 in svn trunk. (changes from 4,5,.. sep apply).
4165 - iana port update.
4168 - Fix spelling error in header, from getdns commit by Andreas Gelmini.
4171 - More explicitly mention the type of ratelimit when applying
4172 ip-ratelimit.
4175 - Tag for 1.8.0rc1 release, became 1.8.0 release on 10 Sep 2018.
4178 - Disable minimal-responses in subnet unit tests.
4181 - Fix that a local-zone with a local-zone-type that is transparent
4182 in a view with view-first, makes queries check for answers from the
4183 local-zones defined outside of views.
4186 - Disable minimal-responses in ipsecmod unit tests.
4187 - Added serve-expired-ttl and serve-expired-ttl-reset options.
4190 - Set defaults to yes for a number of options to increase speed and
4191 resilience of the server. The so-reuseport, harden-below-nxdomain,
4192 and minimal-responses options are enabled by default. They used
4195 setting them to "no" in the unbound.conf config file. The reuseport
4197 otherwise harmless. The harden-below-nxdomain option works well
4200 - next release is called 1.8.0.
4201 - Fix lintflags for lint on FreeBSD.
4204 - #4140: Expose repinfo (comm_reply) to the inplace_callbacks. This
4211 - log-local-actions: yes option for unbound.conf that logs all the
4213 - #4146: num.query.subnet and num.query.subnet_cache counters.
4214 - Fix only misc failure from log-servfail when val-log-level is not
4218 - Fix classification for QTYPE=CNAME queries when QNAME minimisation is
4222 - Set libunbound to increase current, because the libunbound change
4225 - print servfail info to log as error.
4226 - added more servfail printout statements, to the iterator.
4227 - log-servfail: yes prints log lines that say why queries are
4231 - Fix warning on compile without threads.
4232 - Fix contrib/fastrpz.patch.
4235 - Fix segfault in auth-zone read and reorder of RRSIGs.
4238 - Fix that printout of error for cycle targets is a verbosity 4
4240 - Upgraded crosscompile script to include libunbound DLL in the
4244 - Fix #4144: dns64 module caches wrong (negative) information.
4247 - unbound-checkconf checks if modules exist and prints if they are
4249 - document --enable-subnet in doc/README.
4250 - Patch for stub-no-cache and forward-no-cache options that disable
4255 - Make capsforid fallback QNAME minimisation aware.
4258 - Fix #4142: unbound.service.in: improvements and fixes.
4259 Add unit dependency ordering (based on systemd-resolved).
4264 - Patch to implement tcp-connection-limit from Jim Hague (Sinodun).
4267 - make depend, yacc, lex, doc, headers. And log the limit exceeded
4272 - Fix for #4136: Fix to unconditionally call destroy in daemon.c.
4275 - Expose if a query (or a subquery) was ratelimited (not src IP
4278 libunbound/unbound-event.h.
4279 - Tidy pylib tests.
4282 - Revert previous change for #4136: because it introduces build
4284 - New fix for #4136: This one ignores lex without without
4288 - Fix to remove systemd sockaddr function check, that is not
4291 - iana port list update.
4294 - Patches from Jim Hague (Sinodun) for EDNS KeepAlive.
4295 - Sort out test runs when the build directory isn't the project
4297 - Add config tcp-idle-timeout (default 30s). This applies to
4300 - Error if EDNS Keepalive received over UDP.
4301 - Add edns-tcp-keepalive and edns-tcp-keepalive timeout options
4303 - Correct and expand manual page entries for keepalive and idle timeout.
4304 - Implement progressive backoff of TCP idle/keepalive timeout.
4305 - Fix 'make depend' to work when build dir is not project root.
4306 - Add delay parameter to streamtcp, -d secs.
4308 - From Wouter: make depend, the dependencies in the patches did not
4310 - Fix mesh.c incompatible pointer pass.
4311 - Please doxygen so it passes.
4312 - Fix #4139: Fix unbound-host leaks memory on ANY.
4315 - Fix #4136: insufficiency from mismatch of FLEX capability between
4319 - Fix man page, say that chroot is enabled by default.
4322 - Fix #4135: 64-bit Windows Installer Creates Entries Under The
4326 - Fix use-systemd readiness signalling, only when use-systemd is yes
4330 - Fix #4130: print text describing -dd and unbound-checkconf on
4333 - Fix #4131: for solaris, error YY_CURRENT_BUFFER undeclared.
4336 - Fix #4129 unbound-control error message with wrong cert permissions
4340 - Fix #4127 unbound -h does not list -p help.
4341 - Print error if SSL name verification configured but not available
4343 - Fix that ratelimit and ip-ratelimit are applied after reload of
4345 - Resize ratelimit and ip-ratelimit caches if changed on reload.
4348 - Fix qname minimisation NXDOMAIN validation lookup failures causing
4350 - Squelch can't bind socket errors with Permission denied unless
4354 - Fix to improve systemd socket activation code file descriptor
4356 - Fix for 4126 that the #define for UNKNOWN_SERVER_NICENESS can be more
4360 - Note in documentation that the cert name match code needs
4364 - Fix documentation ambiguity for tls-win-cert in tls-upstream and
4365 forward-tls-upstream docs.
4366 - iana port update.
4367 - Note RFC8162 support. SMIMEA record type can be read in by the
4369 - Fix round robin for failed addresses with prefer-ip6: yes
4372 - Fix #4112: Fix that unbound-anchor -f /etc/resolv.conf will not pass
4373 if DNSSEC is not enabled. New option -R allows fallback from
4374 resolv.conf to direct queries.
4377 - Better documentation for unblock-lan-zones and insecure-lan-zones
4379 - Fix permission denied printed for auth zone probe random port nrs.
4382 - Fix checking for libhiredis printout in configure output.
4383 - Fix typo on man page in ip-address description.
4384 - Update libunbound/python/examples/dnssec_test.py example code to
4388 - dns64-ignore-aaaa: config option to list domain names for which the
4393 - num.queries.tls counter for queries over TLS.
4394 - log port number with err_addr logs.
4397 - #4109: Fix that package config depends on python unconditionally.
4398 - Patch, do not export python from pkg-config, from Petr Menšík.
4401 - Partial fix for permission denied on IPv6 address on FreeBSD.
4402 - Fix that auth-zone master reply with current SOA serial does not
4404 - Fix that auth-zone does not start the wait timer without checking
4408 - #4108: systemd reload hang fix.
4409 - Fix usage printout for unbound-host, hostname has to be last
4413 - Fix for unbound-control on Windows and set TCP socket parameters
4416 - Windows example service.conf edited with more windows specific
4418 - Fix windows unbound-control no cert bad file descriptor error.
4422 - Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
4424 - Fix unbound-checkconf for control-use-cert.
4428 - tag for 1.7.3rc1.
4429 - trunk has 1.7.4.
4430 - unbound-control auth_zone_reload _zone_ option rereads the zonefile.
4431 - unbound-control auth_zone_transfer _zone_ option starts the probe
4436 - #4103: Fix that auth-zone does not insist on SOA record first in
4438 - Fix that first control-interface determines if TLS is used. Warn
4440 - Fix nettle compile.
4443 - Don't count CNAME response types received during qname minimisation as
4447 - #4102 for NSD, but for Unbound. Named unix pipes do not use
4449 directory permissions. The option control-use-cert is no longer
4450 used, and ignored if found in unbound.conf.
4451 - Rename tls-additional-ports to tls-additional-port, because every
4453 - Fix buffer size warning in unit test.
4454 - remade dependencies in the Makefile.
4457 - Patch to fix openwrt for mac os build darwin detection in configure.
4460 - Fix crash if ratelimit taken into use with unbound-control
4461 instead of with unbound.conf.
4464 - Fix deadlock caused by incoming notify for auth-zone.
4465 - tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018,
4467 - #4100: Fix stub reprime when it becomes useless.
4470 - Rename additional-tls-port to tls-additional-ports.
4474 - Patch from Syzdek: Add ability to ignore RD bit and treat all
4478 - in compat/arc4random call getentropy_urandom when getentropy fails
4480 - Fix that fallback for windows port.
4483 - Fix windows tcp and tls spin on events.
4484 - Add routine from getdns to add windows cert store to the SSL_CTX.
4485 - tls-win-cert option that adds the system certificate store for
4486 authenticating DNS-over-TLS connections. It can be used instead
4487 of the tls-cert-bundle option, or with it to add certificates.
4490 - For TCP and TLS connections that don't establish, perform address
4492 - Fix that tcp sticky events are removed for closed fd on windows.
4493 - Fix close events for tcp only.
4496 - Fix that libunbound can do DNS-over-TLS, when configured.
4497 - Fix that windows unbound service can use DNS-over-TLS.
4498 - unbound-host initializes ssl (for potential DNS-over-TLS usage
4499 inside libunbound), when ssl upstream or a cert-bundle is configured.
4502 - Use accept4 to speed up incoming TCP (and TLS) connections,
4506 - Qname minimisation default changed to yes.
4509 - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand.
4512 - Fix contrib/libunbound.pc for libssl libcrypto references,
4516 - Fix windows to not have sticky TLS events for TCP.
4517 - Fix read of DNS over TLS length and data in one read call.
4518 - Fix mesh state assertion failure due to callback removal.
4521 - Fix that configure --with-libhiredis also turns on cachedb.
4522 - Fix gcc 8 buffer warning in testcode.
4523 - Fix function type cast warning in libunbound context callback type.
4526 - Fix fail to reject dead peers in forward-zone, with ssl-upstream.
4529 - Fix that unbound-control reload frees the rrset keys and returns
4533 - Fix spelling error in man page and note defaults as no instead of
4537 - Fix for crash in daemon_cleanup with dnstap during reload,
4539 - Also that for dnscrypt.
4540 - tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk
4544 - Fix memory leak when caching wildcard records for aggressive NSEC use
4547 - Fix contrib/fastrpz.patch for this release.
4548 - Fix auth https for libev.
4551 - Added root-key-sentinel support
4554 - makedist uses bz2 for expat code, instead of tar.gz.
4555 - Fix #4092: libunbound: use-caps-for-id lacks colon in
4557 - auth zone http download stores exact copy of downloaded file,
4559 - Fix sldns parse failure for CDS alternate delete syntax empty hex.
4560 - Attempt for auth zone fix; add of callback in mesh gets from
4562 - Fix cname classification with qname minimisation enabled.
4563 - list_auth_zones unbound-control command.
4566 - man page documentation for dns-over-tls forward-addr '#' notation.
4567 - removed free from failed parse case.
4568 - Fix #4091: Fix that reload of auth-zone does not merge the zonefile
4570 - Delete auth zone when removed from config.
4573 - Can set tls authentication with forward-addr: IP#tls.auth.name
4574 And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem".
4575 such as forward-addr: 9.9.9.9@853#dns.quad9.net or
4576 1.1.1.1@853#cloudflare-dns.com
4577 - Fix #658: unbound using TLS in a forwarding configuration does not
4579 - For addr with #authname and no @port notation, the default is 853.
4582 - Fix auth-zone retry timer to be on schedule with retry timeout,
4586 - auth zone notify work.
4587 - allow-notify: config statement for auth-zones.
4588 - unit test for allow-notify
4591 - Fix auth zone target lookup iterator.
4592 - auth zone notify with prefix
4593 - auth zone notify work.
4596 - Fix for max include depth for authzones.
4597 - Fix memory free on fail for $INCLUDE in authzone.
4598 - Fix that an internal error to look up the wrong rr type for
4600 - auth zone notify work.
4603 - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN
4607 - documentation for low-rtt and low-rtt-pct.
4608 - auth zone notify work.
4611 - Fix that flush_zone sets prefetch ttl expired, so that with
4612 serve-expired enabled it'll start prefetching those entries.
4613 - num.query.authzone.up and num.query.authzone.down statistics counters.
4614 - Fix downstream auth zone, only fallback when auth zone fails to
4616 - Accept both option names with and without colon for get_option
4618 - low-rtt and low-rtt-pct in unbound.conf enable the server selection
4622 - Combine write of tcp length and tcp query for dns over tls.
4623 - nitpick fixes in example.conf.
4624 - Fix above stub queries for type NS and useless delegation point.
4625 - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
4628 - ED448 support.
4631 - Fix #4043: make test fails due to v6 presentation issue in macOS.
4632 - Fix unable to resolve after new WLAN connection, due to auth-zone
4633 failing with a forwarder set. Now, auth-zone is only used for
4637 - Check "result" in dup_all(), by Florian Obser.
4640 - Fix unbound-control get_option aggressive-nsec
4643 - Do not use cached NSEC records to generate negative answers for
4647 - iana port update.
4650 - corrected a minor typo in the changelog.
4651 - move htobe64/be64toh portability code to cachedb.c.
4654 - Add --with-libhiredis, unbound support for a new cachedb backend
4657 And unbound should be built with both --enable-cachedb and
4658 --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
4660 - Fix #3817: core dump happens in libunbound delete, when queued
4662 - Create additional tls service interfaces by opening them on other
4663 portnumbers and listing the portnumbers as additional-tls-port: nr.
4666 - Fix typo in documentation.
4667 - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually
4668 flushed with serve-expired on.
4671 - Added documentation for aggressive-nsec: yes.
4672 - tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk
4674 - Fix #3727: Protocol name is TLS, options have been renamed but
4676 - Check IXFR start serial.
4679 - Fix #3598: Fix swig build issue on rhel6 based system.
4680 configure --disable-swig-version-check stops the swig version check.
4683 - tag 1.7.0rc2.
4686 - Fixed contrib/fastrpz.patch, even though this already applied
4688 - patch to log creates keytag queries, from A. Schulze.
4689 - patch suggested by Debian lintian: allow to -> allow one to, from
4691 - Attempt to remove warning about trailing whitespace.
4694 - Reverted fix for #3512, this may not be the best way forward;
4697 - svn trunk contains 1.7.0, this is the number for the next release.
4698 - Fix for windows compile.
4699 - tag 1.7.0rc1.
4702 - Fix to check define of DSA for when openssl is without deprecated.
4703 - iana port update.
4704 - Fix #3582: Squelch address already in use log when reuseaddr option
4708 - Fixup contrib/fastrpz.patch so that it applies.
4709 - Fix compile without threads, and remove unused variable.
4710 - Fix compile with staticexe and python module.
4711 - Fix nettle compile.
4714 - Save wildcard RRset from answer with original owner for use in
4718 - Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
4720 - Fix validation for CNAME loops. When it detects a cname loop,
4723 - more robust cachedump rrset routine.
4726 - Fix #3505: Documentation for default local zones references
4728 - Fix #3494: local-zone noview can be used to break out of the view
4730 - Fix for more maintainable code in localzone.
4733 - Fixes for clang static analyzer, the missing ; in
4734 edns-subnet/addrtree.c after the assert made clang analyzer
4738 - Aggressive NSEC tests
4741 - tls-cert-bundle option in unbound.conf enables TLS authentication.
4742 - iana port update.
4745 - Unit test for auth zone https url download.
4748 - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test)
4749 - Processed aggressive NSEC code review remarks Wouter
4752 - Aggressive use of NSEC implementation. Use cached NSEC records to
4756 - iana port update.
4757 - auth zone url config.
4760 - Fix #3451: dnstap not building when you have a separate build dir.
4762 - auth-zone provides a way to configure RFC7706 from unbound.conf,
4763 eg. with auth-zone: name: "." for-downstream: no for-upstream: yes
4764 fallback-enabled: yes and masters or a zonefile with data.
4767 - Fix unfreed locks in log and arc4random at exit of unbound.
4768 - unit test with valgrind
4769 - Fix lock race condition in dns cache dname synthesis.
4770 - lock subnet new item before insertion to please checklocks,
4774 - fix unaligned structure making a false positive in checklock
4778 - Use NSEC with longest ce to prove wildcard absence.
4779 - Only use *.ce to prove wildcard absence, no longer names.
4782 - ltrace.conf file for libunbound in contrib.
4785 - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file
4787 - Print fatal errors about remote control setup before log init,
4791 - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is
4792 also recognized and means the same. Also for tls-port,
4793 tls-service-key, tls-service-pem, stub-tls-upstream and
4794 forward-tls-upstream.
4795 - Fix #3397: Fix that cachedb could return a partial CNAME chain.
4796 - Fix #3397: Fix that when the cache contains an unsigned DNAME in
4801 - tag 1.6.8 for release with CVE fix.
4802 - trunk has 1.6.9 with fix and previous commits.
4803 - patch for CVE-2017-15105: vulnerability in the processing of
4805 - iana port update.
4806 - make depend: code dependencies updated in Makefile.
4809 - Copy query and correctly set flags on REFUSED answers when cache
4813 - Fix queries being leaked above stub when refetching glue.
4816 - Fix that DS queries with referral replies are answered straight
4820 - Remove clang optimizer disable,
4821 Fix that expiration date checks don't fail with clang -O2.
4824 - Fix timestamp failure because of clang optimizer failure, by
4825 disabling -O2 when the compiler --version is clang.
4826 - iana port update.
4827 - Also disable -flto for clang, to make incep-expi signature check
4831 - Fix qname-minimisation documentation (A QTYPE, not NS)
4834 - authzone work, transfer connect.
4837 - Check whether --with-libunbound-only is set when using --with-nettle
4838 or --with-nss.
4841 - Fix link failure on OmniOS.
4844 - auth zone work.
4847 - Fix #3299 - forward CNAME daisy chain is not working
4850 - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
4852 - auth xfer work on probe timer and lookup.
4855 - Fix #2801: Install libunbound.pc.
4856 - Fix qname minimisation to send AAAA queries at zonecut like type A.
4857 - reverted AAAA change.
4860 - Fix #2492: Documentation libunbound.
4863 - Fix #2362: TLS1.3/openssl-1.1.1 not working.
4864 - Fix #2034 - Autoconf and -flto.
4865 - Fix #2141 - for libsodium detect lack of entropy in chroot, print
4869 - Fix #1913: ub_ctx_config is under circumstances thread-safe.
4870 - make ip-transparent option work on OpenBSD.
4873 - Document that errno is left informative on libunbound config read
4875 - lexer output.
4876 - iana port update.
4879 - Fixed libunbound manual typo.
4880 - Fix #1949: [dnscrypt] make provider name mismatch more obvious.
4881 - Fix #2031: Double included headers
4884 - Update B root ipv4 address.
4887 - authzone work, probe timer setup.
4890 - lint for recent authzone commit.
4893 - Fix #1749: With harden-referral-path: performance drops, due to
4895 - [dnscrypt] prevent dnscrypt-secret-key, dnscrypt-provider-cert
4897 - [dnscrypt] introduce dnscrypt-provider-cert-rotated option,
4907 The `dnscrypt-provider-cert-rotated` allow to instruct unbound to not
4909 - Better documentation for cache-max-negative-ttl.
4910 - Work on local root zone code.
4913 - tag 1.6.7
4914 - trunk has version 1.6.8.
4917 - Fix spelling in unbound-control man page.
4920 - Fix trust-anchor-signaling works in libunbound.
4921 - Fix some more crpls in testdata for different signaling default.
4922 - tag 1.6.7rc1
4925 - Set trust-anchor-signaling default to yes
4926 - Use RCODE from A query on DNS64 synthesized answer.
4929 - Fix param unused warning for windows exportsymbol compile.
4932 - Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch
4936 - Log name of looping module
4939 - use a cachedb answer even if it's "expired" when serve-expired is yes
4941 - trigger refetching of the answer in that case (this will bypass
4943 - allow storing a 0-TTL answer from cachedb in the in-memory message
4944 cache when serve-expired is yes
4945 - Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff.
4948 - Fix #1400: allowing use of global cache on ECS-forwarding unless
4949 always-forward.
4952 - tag 1.6.6 (is 1.6.6rc2)
4953 - Fix that looping modules always stop the query, and don't pass
4955 - Fix #1435: Please allow UDP to be disabled separately upstream and
4957 - Fix #1440: [dnscrypt] client nonce cache.
4960 - Fix unbound-host to report error for DNSSEC state of failed lookups.
4961 - Spelling fixes, from Josh Soref.
4964 - tag 1.6.6rc2, became 1.6.6 on 18 sep. trunk 1.6.7 in development.
4967 - Add dns64 for client-subnet in unbound-checkconf.
4970 - Fix #1412: QNAME minimisation strict mode not honored
4971 - Fix #1434: Fix windows openssl 1.1.0 linking.
4974 - tag 1.6.6rc1
4975 - makedist fix for windows binaries, with openssl 1.1.0 windres fix,
4979 - Recommend 1472 buffer size in unbound.conf
4982 - Fix #1424: cachedb:testframe is not thread safe.
4983 - For #1417: escape ; in dnscrypt tests.
4984 - but reverted that, tests fails with that escape.
4985 - Fix #1417: [dnscrypt] shared secret cache counters, and works when
4987 - make depend
4988 - Fix #1418: [ip ratelimit] initialize slabhash using
4989 ip-ratelimit-slabs.
4992 - updated contrib/fastrpz.patch to apply with configparser changes.
4993 - Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs.
4996 - Fix #1414: fix segfault on parse failure and log_replies.
4997 - zero qinfo in handle_request, this zeroes local_alias and also the
4999 - new keys and certs for dnscrypt tests.
5000 - fixup WKS test on buildhost without servicebyname.
5003 - Fix #1415: patch to free dnscrypt environment on reload.
5004 - iana portlist update
5005 - Fix #1415: [dnscrypt] shared secret cache, patch from
5007 - Small fixes for the shared secret cache patch.
5008 - Fix WKS records on kvm autobuild host, with default protobyname
5012 - Fix #1407: Add ECS options check to unbound-checkconf.
5013 - make depend
5014 - Fix to reclaim tcp handler when it is closed due to dnscrypt buffer
5018 - Fix install of trust anchor when two anchors are present, makes both
5022 - tag 1.6.5 with pointrelease 1.6.5 (1.6.4 plus 5011 fix).
5023 - trunk version 1.6.6 in development.
5024 - Fix issue on macOX 10.10 where TCP fast open is detected but not
5028 - Fix #1402: squelch invalid argument error for fd_set_block on windows.
5031 - Patch to show DNSCrypt status in help output, from Carsten
5035 - Fix #1398: make cachedb secret configurable.
5036 - Remove spaces from Makefile.
5039 - Fix #1397: Recursive DS lookups for AS112 zones names should recurse.
5042 - Remove unused iter_env member (ip6arpa_dname)
5043 - Do not reset rrset.bogus stats when called using stats_noreset.
5044 - Added stats for queries that have been ratelimited by domain
5046 - Do not add rrset_bogus and query ratelimiting stats per thread, these
5050 - Fix #1394: mix of serve-expired and response-ip could cause a crash.
5053 - upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02),
5054 config.sub(2016-09-05).
5055 - annotate case statement fallthrough for gcc 7.1.1.
5056 - flex output from flex 2.6.1.
5057 - snprintf of thread number does not warn about truncated string.
5058 - squelch TCP fast open error on FreeBSD when kernel has it disabled,
5060 - remove warning from windows compile.
5061 - Fix compile with libnettle
5062 - Fix DSA configure switch (--disable dsa) for libnettle and libnss.
5063 - Fix #1365: Add Ed25519 support using libnettle.
5064 - iana portlist update
5067 - Fix #1350: make cachedb backend configurable (from JINMEI Tatuya).
5068 - Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor).
5069 With the -p option unbound does not create a pidfile.
5072 - Fix #1344: RFC6761-reserved domains: test. and invalid.
5073 - Redirect all localhost names to localhost address for RFC6761.
5076 - Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg.
5077 - Fix svn hooks for tdir (selected if testcode/mini_tdir.sh exists)..
5080 - Fix 1332: Bump verbosity of failed chown'ing of the control socket.
5083 - Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned
5085 - Fix #1331: libunbound segfault in threaded mode when context is
5087 - Fix pythonmod link line option flag.
5088 - Fix openssl 1.1.0 load of ssl error strings from ssl init.
5091 - Fix python example0 return module wait instead of error for pass.
5092 - iana portlist update
5093 - enhancement for hardened-tls for DNS over TLS. Removed duplicated
5097 - Tag 1.6.4 is created with the 1.6.4rc2 contents.
5098 - Trunk contains 1.6.5, with changes from 26, 27 june.
5099 - Remove signed unsigned warning from authzone.
5100 - Fix that infra cache host hash does not change after reconfig.
5103 - (for 1.6.5)
5105 - First fix for zero b64 and hex text zone format in sldns.
5106 - unbound-control dump_infra prints port number for address if not 53.
5109 - (for 1.6.5): fixup of dnscrypt_cert_chacha test (from Manu Bretelle).
5112 - Tag 1.6.4rc2
5115 - Added fastrpz patch to contrib
5118 - Fix #1316: heap read buffer overflow in parse_edns_options.
5121 - Fix warning in pythonmod under clang compiler.
5122 - Tag 1.6.4rc1
5123 - Fix lintian typo.
5126 - Fix #1277: disable domain ratelimit by setting value to 0.
5129 - Fix #1301: memory leak in respip and tests.
5130 - Free callback in edns-subnetmod on exit and restart.
5131 - Fix memory leak in sldns_buffer_new_frm_data.
5132 - Fix memory leak in dnscrypt config read.
5133 - Fix dnscrypt chacha cert support ifdefs.
5134 - Fix dnscrypt chacha cert unit test escapes in grep.
5135 - Remove asynclook tests that cause test and purifier problems.
5136 - Fix to unlock view in view test.
5139 - Fix stub zone queries leaking to the internet for
5140 harden-referral-path ns checks.
5141 - Fix query for refetch_glue of stub leaking to internet.
5144 - Fix #1279: Memory leak on reload when python module is enabled.
5145 - Fix #1280: Unbound fails assert when response from authoritative
5146 contains malformed qname. When 0x20 caps-for-id is enabled, when
5148 - 1.6.3 tag created, with only #1280 fix, trunk is 1.6.4 development.
5149 - More fixes in depth for buffer checks in 0x20 qname checks.
5152 - Fix #1278: Incomplete wildcard proof.
5155 - Added domain name based ECS whitelist.
5158 - Detect chacha for dnscrypt at configure time.
5159 - dnscrypt unit tests with chacha.
5162 - Fix that unbound-control can set val_clean_additional and val_permissive_mode.
5163 - Add dnscrypt XChaCha20 tests.
5166 - Add an explicit type cast for TCP FASTOPEN fix.
5167 - renumbering B-Root's IPv6 address to 2001:500:200::b.
5168 - Fix #1275: cached data in cachedb is never used.
5169 - Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher.
5172 - Fix #1274: automatically trim chroot path from dnscrypt key/cert paths
5176 - Fix fastopen EPIPE fallthrough to perform connect.
5179 - Also use global local-zones when there is a matching view that does
5180 not have any local-zone specified.
5183 - Fix #1273: cachedb.c doesn't compile with -Wextra.
5184 - If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write.
5187 - Fix #1269: inconsistent use of built-in local zones with views.
5188 - Add defaults for new local-zone trees added to views using
5189 unbound-control.
5192 - Support for openssl EVP_DigestVerify.
5193 - Support for the ED25519 algorithm with openssl (from openssl 1.1.1).
5196 - Fix assertion for low buffer size and big edns payload when worker
5200 - Added redirect-bogus.patch to contrib directory.
5203 - Fix #1270: unitauth.c doesn't compile with higher warning level
5205 - exec_prefix is by default equal to prefix.
5206 - printout localzone for duplicate local-zone warnings.
5209 - authzone cname chain, no rrset duplicates, wildcard doesn't change
5213 - first services/authzone check in, it compiles and reads and writes
5215 - iana portlist update
5218 - Fix #1268: SIGSEGV after log_reopen.
5221 - Fix #1265 to use /bin/kill.
5222 - Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs,
5226 - Fix #1265: contrib/unbound.service contains hardcoded path.
5229 - Use qstate's region for IPSECKEY rrset (ipsecmod).
5232 - Implemented opportunistic IPsec support module (ipsecmod).
5233 - Some whitespace fixup.
5236 - updated dependencies in the makefile.
5237 - document trust-anchor-signaling in example config file.
5238 - updated configure, dependencies and flex output.
5239 - better module memory lookup, fix of unbound-control shm names for
5241 - Fix type AVC sldns rrdef.
5244 - Adjust servfail by iterator to not store in cache when serve-expired
5246 - Fix queries for nameservers under a stub leaking to the internet.
5249 - Add 'c' to getopt() in testbound.
5250 - iana portlist update
5253 - Fix tcp-mss failure printout text.
5254 - Set SO_REUSEADDR on outgoing tcp connections to fix the bind before
5259 - Added mesh_add_sub to add detached mesh entries.
5260 - Use mesh_add_sub for key tag signaling query.
5263 - Added test for leak of stub information.
5264 - Fix sldns wire2str printout of RR type CAA tags.
5265 - Fix sldns int16_data parse.
5266 - Fix sldns parse and printout of TSIG RRs.
5267 - sldns SMIMEA and AVC definitions, same as getdns definitions.
5270 - Fix #1259: "--disable-ecdsa" argument overwritten
5272 - iana portlist update
5273 - Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start.
5277 - Implemented trust anchor signaling using key tag query.
5280 - Based on #1257: check parse limit before t increment in sldns RR
5284 - unbound-checkconf -o allows query of dnstap config variables.
5285 Also unbound-control get_option. Also for dnscrypt.
5286 - trunk contains 1.6.3 version number (changes from 1.6.2 back from
5290 - Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle).
5291 - iana portlist update
5294 - Fix #1252: more indentation inconsistencies.
5295 - Fix #1253: unused variable in edns-subnet/addrtree.c:getbit().
5298 - Added ECS unit test (from Manu Bretelle).
5299 - ECS documentation fix (from Manu Bretelle).
5302 - Fix #1250: inconsistent indentation in services/listen_dnsport.c.
5303 - tag for 1.6.2rc1
5304 - (for 1.6.3:) unbound.h exports the shm stats structures. They use
5308 - subnet mem value is available in shm, also when not enabled,
5313 - Fix #1247: unbound does not shorten source prefix length when
5315 - Properly check for allocation failure in local_data_find_tag_datas.
5316 - Fix #1249: unbound doesn't return FORMERR to bogus ECS.
5317 - Set SHM ECS memory usage to 0 when module not loaded.
5320 - Display ECS module memory usage.
5323 - harden-algo-downgrade: no also makes unbound more lenient about
5327 - Remove ECS option after REFUSED answer.
5328 - Fix small memory leak in edns_opt_copy_alloc.
5329 - Respip dereference after NULL check.
5330 - Zero initialize addrtree allocation.
5331 - Use correct identifier for SHM destroy.
5334 - Fix pythonmod for cb changes.
5335 - Some whitespace fixup.
5338 - Unlock view in respip unit test
5341 - Generalise inplace callback (de)registration
5342 - (de)register inplace callbacks for module id
5343 - No unbound-control set_option for ECS options
5344 - Deprecated client-subnet-opcode config option
5345 - Introduced client-subnet-always-forward config option
5346 - Changed max-client-subnet-ipv6 default to 56 (as in RFC)
5347 - Removed extern ECS config options
5348 - module_restart_next now calls clear on all following modules
5349 - Also create ECS module qstate on module_event_pass event
5350 - remove malloc from inplace_cb_register
5353 - Small fixup for documentation.
5354 - iana portlist update
5355 - Fix respip for braces when locks arent used.
5356 - Fix pythonmod for cb changes.
5359 - Fix #1244: document that use of chroot requires trust anchor file to
5361 - iana portlist update
5364 - Do not add current time twice to TTL before ECS cache store.
5365 - Do not touch rrset cache after ECS cache message generation.
5366 - Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode.
5369 - Fix #1217: Add metrics to unbound-control interface showing
5372 - iana portlist update
5375 - Remove (now unused) event2 include from dnscrypt code.
5378 - Fix to prevent non-referal query from being cached as referal when the
5382 - Fix #1239: configure fails to find python distutils if python
5386 - Fix #1238: segmentation fault when adding through the remote
5387 interface a per-view local zone to a view with no previous
5389 - Fix #1229: Systemd service sandboxing, options in wrong sections.
5392 - Merge EDNS Client subnet implementation from feature branch into main
5396 - Fix doxygen for dnscrypt files.
5399 - #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then
5401 - make depend, autoconf, remove warnings about statement before var.
5402 - lru_demote and lruhash_insert_or_retrieve functions for getdns.
5403 - fixup for lruhash (whitespace and header file comment).
5404 - dnscrypt tests.
5407 - Patch for view functionality for local-data-ptr from Björn Ketelaars.
5408 - Fix #1237 - Wrong resolving in chain, for norec queries that get
5412 - Fix that SHM is not inited if not enabled.
5413 - Add trustanchor.unbound CH TXT that gets a response with a number
5416 - Fix that looped DNAMEs do not cause unbound to spend effort.
5417 - trustanchor tags are sorted. reusable routine to fetch taglist.
5420 - testbound understands Deckard MATCH rcode question answer commands.
5421 - Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead
5425 - Fix #1234: shortening DNAME loop produces duplicate DNAME records
5429 - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
5431 - fake-sha1 test option; print warning if used. To make unit tests.
5432 - unbound-control list local zone and data commands listed in the
5436 - make depend for build dependencies.
5437 - swig version 2.0.1 required.
5438 - fix enum conversion warnings
5441 - Fix #1230: swig version 2.0.0 is required for pythonmod, with
5442 1.3.40 it crashes when running repeatly unbound-control reload.
5443 - Response actions based on IP address from Jinmei Tatuya (Infoblox).
5446 - Fix #1229: Systemd service sandboxing in contrib/unbound.service.
5447 - iana portlist update
5450 - Fix testpkts.c, check if DO bit is set, not only if there is an OPT
5454 - For #1227: if we have sha256, set the cipher list to have no
5458 - Fix #1227: Fix that Unbound control allows weak ciphersuits.
5459 - Fix #1226: provide official 32bit binary for windows.
5462 - include sys/time.h for new shm code on NetBSD.
5465 - Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to
5467 - Patch from Luiz Fernando Softov for Stats Shared Memory.
5468 - unbound-control stats_shm command prints stats using shared memory,
5470 - make depend, autoconf, doxygen and lint fixed up.
5473 - Fix #1224: Fix that defaults should not fall back to "Program Files
5477 - iana portlist update
5480 - sldns updated for vfixed and buffer resize indication from getdns.
5483 - sldns has ED25519 and ED448 algorithm number and name for display.
5486 - tag 1.6.1rc3. -- which became 1.6.1 on 21feb, trunk has 1.6.2
5489 - Fix autoconf of systemd check for lack of pkg-config.
5492 - Fix pythonmod for typedef changes.
5493 - Fix dnstap for warning of set but not used.
5494 - tag 1.6.1rc2.
5497 - tag 1.6.1rc1.
5500 - Fix for type name change and fix warning on windows compile.
5503 - Include root trust anchor id 20326 in unbound-anchor.
5506 - Fix compile on solaris of the fix to use $host detect.
5509 - fix root_anchor test for updated icannbundle.pem lower certificates.
5512 - Fix 1211: Fix can't enable interface-automatic if no IPv6 with
5516 - Increase MAX_MODULE to 16.
5519 - Fix to Rename ub_callback_t to ub_callback_type, because POSIX
5521 - Fix to rename internally used types from _t to _type, because _t
5523 - iana portlist update
5526 - Fix to also block meta types 128 through to 248 with formerr.
5527 - Fix #1206: Some view-related commands are missing from 'unbound-control -h'
5530 - Fix #1202: Fix code comment that packed_rrset_data is not always
5534 - Fix #1201: Fix missing unlock in answer_from_cache error condition.
5537 - Fix to return formerr for queries for meta-types, to avoid
5538 packet amplification if this meta-type is sent on to upstream.
5539 - Fix #1184: Log DNS replies. This includes the same logging
5542 - Fix #1187: Source IP rate limiting, patch from Larissa Feng.
5545 - configure --enable-systemd and lets unbound use systemd sockets if
5546 you enable use-systemd: yes in unbound.conf.
5550 - Fix reload chdir failure when also chrooted to that directory.
5553 - Fix #1194: Cross build fails when $host isn't `uname` for getentropy.
5556 - Fix #1190: Do not echo back EDNS options in local-zone error response.
5557 - iana portlist update
5560 - Fix #1188: Unresolved symbol 'fake_dsa' in libunbound.so when built
5564 - Fix #1191: remove comment about view deletion.
5567 - iana portlist update
5568 - 64bit is default for windows builds.
5569 - Fix inet_ntop and inet_pton warnings in windows compile.
5572 - Fix #1178: attempt to fix setup error at end, pop result values
5576 - Fix #1182: Fix Resource leak (socket), at startup.
5577 - Fix unbound-control and ipv6 only.
5580 - Fix #1176: stack size too small for Alpine Linux.
5583 - Fix downcast warnings from visual studio in sldns code.
5584 - tag 1.6.0rc1 which became 1.6.0 on 15 dec, and trunk is 1.6.1.
5587 - Add DSA support for OpenSSL 1.1.0
5588 - Fix remote control without cert for LibreSSL
5591 - Added generic EDNS code for registering known EDNS option codes,
5595 - Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
5597 - Added code for registering inplace callback functions. The registered
5603 - Updated Python module for the above.
5604 - Updated Python documentation.
5607 - Fix #1173: differ local-zone type deny from unset
5611 - Fix #1170: document that 'inform' local-zone uses local-data.
5614 - hyphen as minus fix, by Andreas Schulze
5617 - Added local-zones and local-data bulk addition and removal
5618 functionality in unbound-control (local_zones, local_zones_remove,
5620 - iana portlist update
5623 - version 1.6.0 is in the development branch.
5624 - braces in view.c around lock statements.
5627 - new install-sh.
5630 - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by
5634 - Make access-control-tag-data RDATA absolute. This makes the RDATA
5635 origin consistent between local-data and access-control-tag-data.
5636 - Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
5638 - QNAME minimisation uses QTYPE=A, therefore always check cache for
5639 this type in harden-below-nxdomain functionality.
5640 - Added unit test for QNAME minimisation + harden below nxdomain
5644 - iana portlist update.
5645 - Fix unit tests for DS hash processing for fake-dsa test option.
5646 - patch from Dag-Erling Smorgrav that removes code that relies
5650 - Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing
5651 Underneath" for the harden-below-nxdomain option.
5654 - Fix #1155: test status code of unbound-control in 04-checkconf,
5658 - Added stub-ssl-upstream and forward-ssl-upstream options.
5661 - configure detects ssl security level API function in the autoconf
5664 - Fix #1154: segfault when reading config with duplicate zones.
5665 - Note that for harden-below-nxdomain the nxdomain must be secure,
5669 - Set OpenSSL security level to 0 when using aNULL ciphers.
5672 - .gitattributes line for githubs code language display.
5673 - log-identity: config option to set sys log identity, patch from
5677 - iana portlist update.
5680 - Fix failure to build on arm64 with no sbrk.
5681 - iana portlist update.
5684 - Patch for server.num.zero_ttl stats for count of expired replies,
5688 - Fix unit tests for openssl 1.1, with no DSA, by faking DSA, enabled
5689 with the undocumented switch 'fake-dsa'. It logs a warning.
5692 - Fix #1134: unbound-control set_option -- val-override-date: -1 works
5694 The -- is to ignore the '-1' as an option flag.
5697 - serve-expired config option: serve expired responses with TTL 0.
5698 - g.root-servers.net has AAAA address.
5701 - Ported tests for local_cname unit test to testbound framework.
5704 - suppress compile warning in lex files.
5705 - init lzt variable, for older gcc compiler warnings.
5706 - fix --enable-dsa to work, instead of copying ecdsa enable.
5707 - Fix DNSSEC validation of query type ANY with DNAME answers.
5708 - Fixup query_info local_alias init.
5711 - Fix #1130: whitespace in example.conf.in more consistent.
5714 - Patch that resolves CNAMEs entered in local-data conf statements that
5716 - Removed patch comments from acllist.c and msgencode.c
5717 - Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf,
5719 - Fix #1125: unbound could reuse an answer packet incorrectly for
5721 - Fix #1118: libunbound.pc sets strange Libs, Libs.private values.
5722 - Added Requires line to libunbound.pc
5723 - Please doxygen by modifying mesh.h
5726 - Re-fix #839 from view commit overwrite.
5727 - Fixup const void cast warning.
5730 - Free view config elements.
5733 - Added qname-minimisation-strict config option.
5734 - iana portlist update.
5735 - fix memoryleak logfile when in debug mode.
5738 - Added views functionality.
5739 - Fix #1117: spelling errors, from Robert Edmonds.
5742 - Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav.
5745 - Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX.
5746 - Fix #839: Memory grows unexpectedly with large RPZ files.
5747 - Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile.
5748 - Fix #841: big local-zone's make it consume large amounts of memory.
5751 - tag for 1.5.10 release
5752 - trunk contains 1.5.11 in development.
5753 - Fix dnstap relaying "random" messages instead of resolver/forwarder
5755 - Fix #836: unbound could echo back EDNS options in an error response.
5758 - iana portlist update.
5759 - Fix #835: fix --disable-dsa with nettle verify.
5760 - tag for 1.5.10rc1 release.
5763 - Fix 883: error for duplicate local zone entry.
5764 - Test for openssl init_crypto and init_ssl functions.
5767 - fix potential memory leak in daemon/remote.c and nullpointer
5769 - iana portlist update.
5772 - Silenced flex-generated sign-unsigned warning print with gcc
5774 - Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
5777 - Fix #831: workaround for spurious fread_chk warning against petal.c
5780 - Take configured minimum TTL into consideration when reducing TTL
5784 - Fix #829: doc of sldns_wire2str_rdata_buf() return value has an
5785 off-by-one typo, from Jinmei Tatuya (Infoblox).
5786 - Fix incomplete prototypes reported by Dag-Erling Smørgrav.
5787 - Fix #828: missing type in access-control-tag-action redirect results
5791 - Fix compile with openssl 1.1.0 with api=1.1.0.
5794 - RFC 7958 is now out, updated docs for unbound-anchor.
5795 - Fix for compile without warnings with openssl 1.1.0.
5796 - Fix #826: Fix refuse_non_local could result in a broken response.
5797 - iana portlist update.
5800 - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
5802 - Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
5805 - Clarify local-zone-override entry in unbound.conf.5
5808 - 64bit build option for makedist windows compile, -w64.
5811 - Fix #820: set sldns_str2wire_rr_buf() dual meaning len parameter
5813 - unbound.conf.5 entries for define-tag, access-control-tag,
5814 access-control-tag-action, access-control-tag-data, local-zone-tag,
5815 and local-zone-override.
5818 - Fix #804: unbound stops responding after outage. Fixes queries
5820 - Fix #804: lower num_target_queries for iterator also for failed
5824 - Note that OPENPGPKEY type is RFC 7929.
5827 - Fix #807: workaround for possible some "unused" function parameters
5831 - use sendmsg instead of sendto for TFO.
5834 - Fix #806: wrong comment removed.
5837 - nicer ratelimit-below-domain explanation.
5840 - Fix #801: missing error condition handling in
5842 - Fix #802: workaround for function parameters that are "unused"
5844 - Fix #803: confusing (and incorrect) code comment in daemon_cleanup().
5847 - Fix typo in unbound.conf.
5850 - Fix #798: Client-side TCP fast open fails (Linux).
5853 - TCP Fast open patch from Sara Dickinson.
5854 - Fixed unbound.doxygen for 1.8.11.
5857 - access-control-tag-data implemented. verbose(4) prints tag debug.
5860 - Fix dynamic link of anchor-update.exe on windows.
5861 - Fix detect of mingw for MXE package build.
5862 - Fixes for 64bit windows compile.
5863 - Fix #788 for nettle 3.0: Failed to build with Nettle >= 3.0 and
5864 --with-libunbound-only --with-nettle.
5867 - For #787: prefer-ip6 option for unbound.conf prefers to send
5869 - Fix #787: outgoing-interface netblock/64 ipv6 option to use linux
5874 - Document always_transparent, always_refuse, always_nxdomain types.
5877 - Fix static compile on windows missing gdi32.
5880 - Create a pkg-config file for libunbound in contrib.
5883 - Fix #784: Build configure assumess that having getpwnam means there
5885 - Updated repository with newer flex and bison output.
5888 - Possibility to specify local-zone type for an acl/tag pair
5889 - Possibility to specify (override) local-zone type for a source address
5892 - Decrease dp attempts at each QNAME minimisation iteration
5895 - Fix tcp timeouts in tv.usec.
5898 - TCP_TIMEOUT is specified in milliseconds.
5899 - If more than half of tcp connections are in use, a shorter timeout
5903 - QNAME minimisation unit test for dropped QTYPE=A queries.
5906 - Fix 775: unbound-host and unbound-anchor crash on windows, ignore
5908 - Fix spelling in freebind option man page text.
5909 - Fix windows link of ssl with crypt32.
5910 - Fix 779: Union casting is non-portable.
5911 - Fix 780: MAP_ANON not defined in HP-UX 11.31.
5912 - Fix 781: prealloc() is an HP-UX system library call.
5915 - Use QTYPE=A for QNAME minimisation.
5916 - Keep track of number of time-outs when performing QNAME minimisation.
5917 Stop minimising when number of time-outs for a QNAME/QTYPE pair is
5921 - Fix #778: unbound 1.5.9: -h segfault (null deref).
5922 - Fix directory: fix for unbound-checkconf, it restores cwd.
5925 - And delete service.conf.shipped on uninstall.
5926 - In unbound.conf directory: dir immediately changes to that directory,
5929 - keep debug symbols in windows build.
5930 - do not delete service.conf on windows uninstall.
5931 - document directory immediate fix and allow EXECUTABLE syntax in it
5935 - Trunk is called 1.5.10 (with previous fixes already in there to 2
5937 - Revert fix for NetworkService account on windows due to breakage
5939 - Fix that windows install will not overwrite existing service.conf
5943 - Lookup localzones by taglist from acl.
5944 - Possibility to lookup local_zone, regardless the taglist.
5945 - Added local_zone/taglist/acl unit test.
5948 - Fix #773: Non-standard Python location build failure with pyunbound.
5949 - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
5952 - Better help text from -h (from Ray Griffith).
5953 - access-control-tag config directive.
5954 - local-zone-override config directive.
5955 - access-control-tag-action and access-control-tag-data config
5957 - free acl-tags, acltag-action and acltag-data config lists during
5961 - Fix to not ignore return value of chown() in daemon startup.
5964 - Fix libubound for edns optlist feature.
5965 - Fix distinction between free and CRYPTO_free in dsa and ecdsa alloc.
5966 - Fix #752: retry resource temporarily unavailable on control pipe.
5967 - un-document localzone tags.
5968 - tag for release 1.5.9rc1.
5970 - Fix (for 1.5.10): Fix unbound-anchor.exe file location defaults to
5972 - re-documented localzone tags in example.conf.
5975 - Fix windows service to be created run with limited rights, as a
5977 - compat strsep implementation.
5978 - generic edns option parse and store code.
5979 - and also generic edns options for upstream messages (and replies).
5985 - Fix time in case answer comes from cache in ub_resolve_event().
5986 - Attempted fix for #765: _unboundmodule missing for python3.
5989 - Fix #770: Small subgroup attack on DH used in unix pipe on localhost
5991 - Document write permission to directory of trust anchor needed.
5992 - Fix #768: Unbound Service Sometimes Can Not Shutdown
5996 - Updated patch from Charles Walker.
5999 - disable-dnssec-lame-check config option from Charles Walker.
6000 - remove memory leak from lame-check patch.
6001 - iana portlist update.
6004 - Fix #767: Reference to an expired Internet-Draft in
6005 harden-below-nxdomain documentation.
6008 - No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
6010 - iana portlist update.
6013 - Fix #766: dns64 should synthesize results on timeout/errors.
6016 - Fix #761: DNSSEC LAME false positive resolving nic.club.
6019 - trunk updated with output of flex 2.6.0.
6022 - Fix memory leak in out-of-memory conditions of local zone add.
6025 - Fix sldns with static checking fixes copied from getdns.
6028 - Fix #759: 0x20 capsforid no longer checks type PTR, for
6032 - Fix some malformed responses to edns queries get fallback to nonedns.
6035 - cachedb module event handling design.
6038 - cachedb module framework (empty).
6039 - iana portlist update.
6042 - Fix #753: document dump_requestlist is for first thread.
6045 - Document permit-small-holddown for 5011 debug.
6046 - Fix #749: unbound-checkconf gets SIGSEGV when use against a
6047 malformatted conf file.
6050 - OpenSSL 1.1.0 portability, --disable-dsa configure option.
6053 - Fix compile of getentropy_linux for SLES11 servicepack 4.
6054 - Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
6055 - Fix test for openssl to use HMAC_Update for 1.1.0.
6056 - acx_nlnetlabs.m4 to v33, with HMAC_Update.
6057 - acx_nlnetlabs.m4 to v34, with -ldl -pthread test for libcrypto.
6058 - ERR_remove_state deprecated since openssl 1.0.0.
6059 - OPENSSL_config is deprecated, removing.
6062 - Validate QNAME minimised NXDOMAIN responses.
6063 - If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
6064 harden-below-nxdomain.
6067 - Limit number of QNAME minimisation iterations.
6070 - Fix #746: Fix unbound sets CD bit on all forwards.
6074 - iana portlist update.
6077 - Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
6078 - Fix ip-transparent for tcp on freebsd.
6081 - ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
6085 - Fix warnings in ifdef corner case, older or unknown libevent.
6086 - Fix compile for ub_event code with older libev.
6089 - Remove warning about unused parameter in event_pluggable.c.
6090 - Fix libev usage of dispatch return value.
6091 - No side effects in tolower() call, in case it is a macro.
6092 - For test put free in pluggable api in parenthesis.
6095 - Fixup backend2str for libev.
6098 - User defined pluggable event API for libunbound
6099 - Fixup of compile fix for pluggable event API from P.Y. Adi
6103 - Updated configure and ltmain.sh.
6104 - Updated L root IPv6 address.
6107 - Fix #747: assert in outnet_serviced_query_stop.
6108 - iana ports fetched via https.
6109 - iana portlist update.
6112 - configure tests for the weak attribute support by the compiler.
6115 - 1.5.8 release tag
6116 - trunk contains 1.5.9 in development.
6117 - iana portlist update.
6118 - Fix #745: unbound.py - idn2dname throws UnicodeError when idnname
6122 - Fix OpenBSD asynclook lock free that gets used later (fix test code).
6123 - Fix that NSEC3 negative cache is used when there is no salt.
6126 - ub_ctx_set_stub() function for libunbound to config stub zones.
6127 - sorted ubsyms.def file with exported libunbound functions.
6130 - Print understandable debug log when unusable DS record is seen.
6131 - load gost algorithm if digest is seen before key algorithm.
6132 - iana portlist update.
6135 - Fix that "make install" fails due to "text file busy" error.
6138 - Set IPPROTO_IP6 for ipv6 sockets otherwise invalid argument error.
6141 - ip-transparent option for FreeBSD with IP_BINDANY socket option.
6142 - wait for sendto to drain socket buffers when they are full.
6145 - Test for type OPENPGPKEY.
6146 - insecure-lan-zones: yesno config option, patch from Dag-Erling
6150 - Fix patch typo in prevuous commit for 734 from Adi Prasaja.
6151 - RR Type CSYNC support RFC 7477, in debug printout and config input.
6152 - RR Type OPENPGPKEY support (draft-ietf-dane-openpgpkey-07).
6155 - Neater cmdline_verbose increment patch from Edgar Pettijohn.
6158 - Made netbsd sendmsg test nonfatal, in case of false positives.
6159 - Fix #741: log message for dnstap socket connection is more clear.
6162 - Fix #734: chown the pidfile if it resides inside the chroot.
6163 - Use arc4random instead of random in tests (because it is
6165 - Fix cmsg alignment for argument to sendmsg on NetBSD.
6166 - Fix that unbound complains about unimplemented IP_PKTINFO for
6167 sendmsg on NetBSD (for interface-automatic).
6170 - Fix #738: Swig should not be invoked with CPPFLAGS.
6173 - Squelch 'cannot assign requested address' log messages unless
6177 - Fix to simplify empty string checking from Michael McConville.
6178 - iana portlist update.
6181 - Fix #734: Do not log an error when the PID file cannot be chown'ed.
6185 - Fix test if -pthreads unused to use better grep for portability.
6188 - Fix mingw crosscompile for recent mingw.
6189 - Update aclocal, autoconf output with new versions (1.15, 2.4.6).
6192 - #731: tcp-mss, outgoing-tcp-mss options for unbound.conf, patch
6194 - Support RFC7686: handle ".onion" Special-Use Domain. It is blocked
6198 - Define DEFAULT_SOURCE together with BSD_SOURCE when that is defined,
6200 - Fixup contrib/aaaa-filter-iterator.patch for moved contents in the
6205 - Fix #729: omit use of escape sequences in echo since they are not
6206 portable (unbound-control-setup).
6209 - remove NULL-checks before free, patch from Michael McConville.
6210 - updated ax_pthread.m4 to version 21 with clang support, this
6212 - OSX portability, detect if sbrk is deprecated.
6213 - OSX clang, stop -pthread unused during link stage warnings.
6214 - OSX clang new flto check.
6217 - 1.5.7 release
6218 - trunk has 1.5.8 in development.
6221 - Fixup 724 for unbound-control.
6224 - Do not minimise forwarded requests.
6227 - Removed unneeded whitespace from example.conf.
6230 - (after rc1 tag)
6231 - Committed fix to qname minimisation and unit test case for it.
6234 - iana portlist update.
6235 - 1.5.7rc1 prerelease tag.
6238 - Fixup 724: Fix PCA prompt for unbound-service-install.exe.
6239 re-enable stdout printout.
6240 - For 724: Add Changelog to windows binary dist.
6243 - Qname minimisation review fixes
6246 - Fixup 724 fix for fname_after_chroot() calls.
6247 - Remove stdout printout for unbound-service-install.exe
6248 - .gitignore for git users.
6251 - Implemented qname minimisation
6254 - Fix for #724: conf syntax to read files from run dir (on Windows).
6257 - Fix for #720, fix unbound-control-setup windows batch file.
6260 - Fix #720: add windows scripts to zip bundle.
6261 - iana portlist update.
6264 - Added assert on rrset cache correctness.
6265 - Fix that malformed EDNS query gets a response without malformed EDNS.
6268 - newer acx_nlnetlabs.m4.
6269 - spelling fixes from Igor Sobrado Delgado.
6272 - Fix #594. libunbound: optionally use libnettle for crypto.
6273 Contributed by Luca Bruno. Added --with-nettle for use with
6274 --with-libunbound-only.
6275 - refactor nsec3 hash implementation to be more library-portable.
6276 - iana portlist update.
6277 - Fixup DER encoded DSA signatures for libnettle.
6280 - Fix for lenient accept of reverse order DNAME and CNAME.
6283 - Change example.conf: ftp.internic.net to https://www.internic.net
6286 - ACX_SSL_CHECKS no longer adds -ldl needlessly.
6289 - Fix #718: Fix unbound-control-setup with support for env
6293 - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
6294 - Fix #716: nodata proof with empty non-terminals and wildcards.
6297 - Fix checklock testcode for linux threads on exit.
6300 - isblank() compat implementation.
6301 - detect libexpat without xml_StopParser function.
6302 - portability fixes.
6303 - portability, replace snprintf if return value broken.
6306 - Fix #714: Document config to block private-address for IPv4
6310 - Fix #712: unbound-anchor appears to not fsync root.key.
6313 - 1.5.6 release.
6314 - trunk tracks development of 1.5.7.
6317 - Fix segfault in the dns64 module in the formaterror error path.
6318 - Fix sldns_wire2str_rdata_scan for malformed RRs.
6319 - tag for 1.5.6rc1 release.
6322 - ANY responses include DNAME records if present, as per Evan Hunt's
6324 - Fix manpage to suggest using SIGTERM to terminate the server.
6327 - Default for ssl-port is port 853, the temporary port assignment
6330 to put a clause in unbound.conf for that. The new value is likely
6332 - iana portlist update.
6335 - 1.5.5 release.
6336 - trunk tracks the development of 1.5.6.
6339 - MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
6341 - tag for 1.5.5rc1 release.
6342 - makedist.sh: pgp sig echo commands.
6345 - Fix unbound-control flush that does not succeed in removing data.
6348 - Fix config globbed include chroot treatment, this fixes reload of
6349 globs (patch from Dag-Erling Smørgrav).
6350 - iana portlist update.
6351 - Fix #702: New IPs for for h.root-servers.net.
6352 - Remove confusion comment from canonical_compare() function.
6353 - Fix #705: ub_ctx_set_fwd() return value mishandled on windows.
6354 - testbound selftest also works in non-debug mode.
6355 - Fix minor error in unbound.conf.5.in
6356 - Fix unbound.conf(5) access-control description for precedence
6360 - changed windows setup compression to be more transparent.
6363 - Fix #697: Get PY_MAJOR_VERSION failure at configure for python
6365 - Feature #699: --enable-pie option to that builds PIE binary.
6366 - Feature #700: --enable-relro-now option that enables full read-only
6370 - Fix deadlock for local data add and zone add when unbound-control
6372 - iana portlist update.
6373 - Change default of harden-algo-downgrade to off. This is lenient
6377 - 5011 implementation does not insist on all algorithms, when
6378 harden-algo-downgrade is turned off.
6379 - Reap the child process that libunbound spawns.
6382 - Fix #694: configure script does not detect LibreSSL 2.2.2
6385 - Document that local-zone nodefault matches exactly and transparent
6389 - Document in the manual more text about configuring locally served
6391 - Fix 5011 anchor update timer after reload.
6392 - Fix mktime in unbound-anchor not using UTC.
6395 - please afl-gcc (llvm) for uninitialised variable warning.
6396 - Added permit-small-holddown config to debug fast 5011 rollover.
6399 - Fix #690: Reload fails when so-reuseport is yes after changing
6400 num-threads.
6401 - iana portlist update.
6404 - Fix configure to detect SSL_CTX_set_ecdh_auto.
6405 - iana portlist update.
6408 - Enable ECDHE for servers. Where available, use
6409 SSL_CTX_set_ecdh_auto() for TLS-wrapped server configurations to
6415 - Allow certificate chain files to allow for intermediate certificates.
6419 - makedist produces sha1 and sha256 files for created binaries too.
6422 - 1.5.4 release tag
6423 - trunk has 1.5.5 in development.
6424 - Fix #681: Setting forwarders with unbound-control forward
6425 implicitly turns on forward-first.
6428 - iana portlist update.
6429 - Fix alloc with log for allocation size checks.
6432 - Fix #677 Fix DNAME responses from cache that failed internal chain
6434 - iana portlist update.
6437 - Fix #677 Fix CNAME corresponding to a DNAME was checked incorrectly
6441 - RFC 7553 RR type URI support, is now enabled by default.
6444 - Fix #674: Do not free pointers given by getenv.
6447 - Fix that unparseable error responses are ratelimited.
6448 - SOA negative TTL is capped at minimumttl in its rdata section.
6449 - cache-max-negative-ttl config option, default 3600.
6452 - Document that ratelimit works with unbound-control set_option.
6455 - iana portlist update.
6456 - documentation proposes ratelimit of 1000 (closer to what upstream
6460 - DLV is going to be decommissioned. Advice to stop using it, and
6464 - Change syntax of particular validator error to be easier for
6470 - caps-whitelist in unbound.conf allows whitelist of loadbalancers
6471 that cannot work with caps-for-id or its fallback.
6474 - Unit test for type ANY synthesis.
6477 - Removed contrib/unbound_unixsock.diff, because it has been
6478 integrated, use control-interface: /path in unbound.conf.
6479 - iana portlist update.
6482 - Synthesize ANY responses from cache. Does not search exhaustively,
6484 - Fix leaked dns64prefix configuration string.
6487 - Add local-zone type inform_deny, that logs query and drops answer.
6488 - Ratelimit does not apply to prefetched queries, and ratelimit-factor
6491 - Fix bug#664: libunbound python3 related fixes (from Tomas Hozza)
6494 libunbound-Python: libldns is not used anymore.
6498 - unbound-control ratelimit_list lists high rate domains.
6499 - ratelimit feature, ratelimit: 100, or some sensible qps, can be
6501 For particular names you can configure exceptions in unbound.conf.
6502 - Fix that get_option for cache-sizes does not print double newline.
6503 - Fix#663: ssl handshake fails when using unix socket because dh size
6507 - Fix crash in dnstap: Do not try to log TCP responses after timeout.
6510 - Libunbound skips dos-line-endings from etc/hosts.
6511 - Unbound exits with a fatal error when the auto-trust-anchor-file
6513 load a readonly auto-trust-anchor-file with trust-anchor-file.
6517 - unbound-control list_insecure command shows the negative trust
6521 - Fix #660: Fix interface-automatic broken in the presence of
6525 - remote.c probedelay line is easier to read.
6526 - rename ldns subdirectory to sldns to avoid name collision.
6529 - Fix #657: libunbound(3) recommends deprecated
6531 - If unknown trust anchor algorithm, and libressl is used, error
6535 - Fix segfault on user not found at startup (from Maciej Soltysiak).
6538 - Fixed to add integer overflow checks on allocation (defense in depth).
6541 - Add ip-transparent config option for bind to non-local addresses.
6544 - Use reallocarray for integer overflow protection, patch submitted
6548 - Fixup compile on cygwin, more portable openssl thread id.
6551 - Updated default keylength in unbound-control-setup to 3k.
6554 - Fix lintian warning in unbound-checkconf man page (from Andreas
6556 - print svnroot when building windows dist.
6557 - iana portlist update.
6558 - Fix warning on sign compare in getentropy_linux.
6561 - Fix #644: harden-algo-downgrade option, if turned off, fixes the
6564 - iana portlist update.
6567 - contrib/unbound_smf22.tar.gz: Solaris SMF installation/removal
6569 - Document that incoming-num-tcp increase is good for large servers.
6570 - stats reports tcp usage, of incoming-num-tcp buffers.
6573 - Patch from Brad Smith that syncs compat/getentropy_linux with
6574 OpenBSD's version (2015-03-04).
6575 - 0x20 fallback improved: servfail responses do not count as missing
6578 many nameservers does not try to compare more than max-sent-count,
6580 - store caps_response with best response in case downgrade response
6582 - Document windows 8 tests.
6585 - tag 1.5.3rc1
6589 - iana portlist update.
6592 - Use the getrandom syscall introduced in Linux 3.17 (from Heiner
6594 - Fix #645 Portability to Solaris 10, use AF_LOCAL.
6595 - Fix #646 Portability to Solaris, -lrt for getentropy_solaris.
6596 - Fix #647 crash in 1.5.2 because pwd.db no longer accessible after
6600 - 1.5.2 release tag.
6601 - svn trunk contains 1.5.3 under development.
6604 - Fix #643: doc/example.conf.in: unnecessary whitespace.
6607 - tag 1.5.2rc1
6610 - iana portlist update.
6613 - Fix scrubber with harden-glue turned off to reject NS (and other
6614 not-address) records.
6617 - Fix validation failure in case upstream forwarder (ISC BIND) does
6622 - infra-cache-min-rtt patch from Florian Riehm, for expected long
6626 - Fix 0x20 capsforid fallback to omit gratuitous NS and additional
6628 - Portability fix for Solaris ('sun' is not usable for a variable).
6631 - Fix pyunbound byte string representation for python3.
6634 - Fix unintended use of gcc extension for incomplete enum types,
6638 - windows port fixes, no AF_LOCAL, no chown, no chmod(grp).
6641 - unit test for local unix connection. Documentation and log_addr
6643 - unbound-checkconf -f prints chroot with pidfile path.
6646 - iana portlist update.
6649 - Cast sun_len sizeof to socklen_t.
6650 - Fix pyunbound ord call, portable for python 2 and 3.
6653 - Fix warnings in pythonmod changes.
6656 - iana portlist update.
6657 - patch for remote control over local sockets, from Dag-Erling
6658 Smorgrav, Ilya Bakulin. Use control-interface: /path/sock and
6659 control-use-cert: no.
6660 - Fixup that patch and uid lookup (only for daemon).
6661 - coded the default of control-use-cert, to yes.
6664 - getauxval test for ppc64 linux compatibility.
6665 - make strip works for unbound-host and unbound-anchor.
6666 - patch from Stephane Lapie that adds to the python API, that
6668 - print query name when max target count is exceeded.
6669 - patch from Stuart Henderson that fixes DESTDIR in
6670 unbound-control-setup for installs where config is not in
6672 - Fix #634: fix fail to start on Linux LTS 3.14.X, ignores missing
6674 - Updated contrib warmup.cmd/sh to support two modes - load
6675 from pre-defined list of domains or (with filename as argument)
6676 load from user-specified list of domains, and updated contrib
6680 - Patch from Philip Paeps to contrib/unbound_munin_ that uses
6681 type ABSOLUTE. Allows munin.conf: [idleserver.example.net]
6685 - svn trunk has 1.5.2 in development.
6686 - config.guess and config.sub update from libtoolize.
6687 - local-zone: example.com inform makes unbound log a message with
6691 - Fix CVE-2014-8602: denial of service by making resolver chase
6695 - Fix bug#632: unbound fails to build on AArch64, protects
6699 - Add include to getentropy_linux.c, hopefully fixing debian build.
6702 - Fix makefile for build from noexec source tree.
6705 - Fix libunbound undefined symbol errors for main.
6709 - Fix log at high verbosity and memory allocation failure.
6710 - iana portlist update.
6713 - Fix crash on multiple thread random usage on systems without
6717 - fix compat/getentropy_win.c check if CryptGenRandom works and no
6721 - Fix cdflag dns64 processing.
6724 - Fix that CD flag disables DNS64 processing, returning the DNSSEC
6726 - iana portlist update.
6729 - Fix #627: SSL_CTX_load_verify_locations return code not properly
6733 - parser with bison 2.7
6736 - Patch from Stephane Lapie for ASAHI Net that implements aaaa-filter,
6737 added to contrib/aaaa-filter-iterator.patch.
6740 - trunk has 1.5.1 in development.
6741 - Patch from Robert Edmonds to build pyunbound python module
6742 differently. No versioninfo, with -shared and without $(LIBS).
6743 - Patch from Robert Edmonds fixes hyphens in unbound-anchor man page.
6744 - Removed 'increased limit open files' log message that is written
6747 - Patch from James Raftery, always print stats for rcodes 0..5.
6750 - iana portlist update.
6751 - Fix bug where forward or stub addresses with same address but
6753 - version number in svn trunk is 1.5.0
6754 - tag 1.5.0rc1
6755 - review fix from Ralph.
6758 - dnstap fixes by Robert Edmonds:
6760 dnstap/: Remove compiled protoc-c output files
6763 protobuf-c 1.0.0
6767 - Add ub_ctx_add_ta_autr function to add a RFC5011 automatically
6769 - Redefine internal minievent symbols to unique symbols that helps
6773 - Disabled use of SSLv3 in remote-control and ssl-upstream.
6774 - iana portlist update.
6777 - Documented dns64 configuration in unbound.conf man page.
6780 - Fix #617: in ldns in unbound, lowercase WKS services.
6781 - Fix ctype invocation casts.
6784 - Fix unbound-checkconf check for module config with dns64 module.
6785 - Fix unbound capsforid fallback, it ignores TTLs in comparison.
6788 - Fix #614: man page variable substitution bug.
6790 - Whitespaces after $ORIGIN are not part of the origin dname (ldns).
6791 - $TTL's value starts at position 5 (ldns).
6794 - fix #613: Allow tab ws in var length last rdfs (in ldns str2wire).
6797 - Fix #612: create service with service.conf in present directory and
6799 - Fix for mingw compile openssl ranlib.
6802 - updated configure and aclocal with newer autoconf 1.13.
6805 - Fix swig and python examples for Python 3.x.
6806 - Fix for mingw compile with openssl-1.0.1i.
6809 - improve python configuration detection to build on Fedora 22.
6812 - patches to also build with Python 3.x (from Pavel Simerda).
6815 - Fix tcp timer waiting list removal code.
6816 - iana portlist update.
6817 - Updated the TCP_BACLOG from 5 to 256, so that the tcp accept queue
6821 - Fix unit test for CDS typecode.
6824 - type CDS and CDNSKEY types in sldns.
6827 - Fixup checklock code for log lock and its mutual initialization
6829 - iana portlist update.
6830 - Removed necessity for pkg-config from the dnstap.m4, new are
6831 the --with-libfstrm and --with-protobuf-c configure options.
6834 - Update unbound manpage with more explanation (from Florian Obser).
6837 - Fix #603: unbound-checkconf -o <option> should skip verification
6839 - iana portlist update.
6840 - Fixup doc/unbound.doxygen to remove obsolete 1.8.7 settings.
6843 - dnstap support, with a patch from Farsight Security, written by
6844 Robert Edmonds. The --enable-dnstap needs libfstrm and protobuf-c.
6846 Building with --enable-dnstap needs pkg-config with this patch.
6847 - Noted dnstap in doc/README and doc/CREDITS.
6848 - Changes to the dnstap patch.
6849 - lint fixes.
6850 - dnstap/dnstap_config.h should not have been added to the repo,
6854 - Patch add msg, rrset, infra and key cache sizes to stats command
6856 - iana portlist update.
6859 - DNS64 from Viagenie (BSD Licensed), written by Simon Perrault.
6861 This adds a module (for module-config in unbound.conf) dns64 that
6863 - Changes from DNS64:
6868 - testdata/dns64_lookup.rpl for unit test for dns64 functionality.
6871 - Patch from Dag-Erling Smorgrav that implements feature, unbound -dd
6875 - Fix endian.h include for OpenBSD.
6878 - And Fix#596: Bail out of unbound-control dump_infra when ssl
6882 - Fix #596: Bail out of unbound-control list_local_zones when ssl
6884 - iana portlist update.
6887 - Configure tests if main can be linked to from getentropy compat.
6890 - Fix getentropy compat code, function refs were not portable.
6891 - Fix to check openssl version number only for OpenSSL.
6892 - LibreSSL provides compat items, check for that in configure.
6893 - Fix bug in fix for log locks that caused deadlock in signal handler.
6894 - update compat/getentropy and arc4random to the most recent ones from OpenBSD.
6897 - fake-rfc2553 patch (thanks Benjamin Baier).
6900 - arc4random in compat/ and getentropy, explicit_bzero, chacha for
6904 - fix strptime implicit declaration error on OpenBSD.
6905 - arc4random, getentropy and explicit_bzero compat for Windows.
6908 - Fix #593: segfault or crash upon rotating logfile.
6911 - DLV tests added.
6912 - signit tool fixup for compile with libldns library.
6913 - iana portlist updated.
6916 - so-reuseport is available on BSDs(such as FreeBSD 10) and OS/X.
6919 - unbound-control status reports if so-reuseport was successful.
6920 - iana portlist updated.
6923 - Fix caps-for-id fallback, and added fallback attempt when servers
6925 - Fixup testsetup for VM tests (run testcode/run_vm.sh).
6928 - iana portlist updated.
6931 - Add AAAA for B root server to default root hints.
6934 - Remove unused define from iterator.h
6937 - Fixup sldns_enum_edns_option typedef definition.
6940 - Code cleanup patch from Dag-Erling Smorgrav, with compiler issue
6942 Generate unbound-control-setup.sh at build time so it respects
6956 no longer used. Add unbound-control-setup.sh to the list of
6960 - Fixup out-of-directory compile with unbound-control-setup.sh.in.
6961 - make depend.
6964 - unbound-host -D enabled dnssec and reads root trust anchor from
6968 - Feature, unblock-lan-zones: yesno that you can use to make unbound
6973 - Updated create_unbound_ad_servers and unbound_cache scripts from
6978 - Implement draft-ietf-dnsop-rfc6598-rfc6303-01.
6979 - iana portlist updated.
6982 - Contrib windows scripts from Yuri Voinov added to src/contrib:
6983 create_unbound_ad_servers.cmd: enters anti-ad server lists.
6985 - Added unbound-control-setup.cmd from Yuri Voinov to the windows
6989 - Change MAX_SENT_COUNT from 16 to 32 to resolve some cases easier.
6992 - More #567: remove : from output of stub and forward lists, this is
6996 - iana portlist updated.
6997 - Add unbound-control flush_negative that flushed nxdomains, nodata,
6998 and errors from the cache. For dnssec-trigger and NetworkManager,
7003 - Patch from Jeremie Courreges-Anglas to use arc4random_uniform
7007 - Fix compile with libevent2 on FreeBSD.
7010 - Fix #502: explain that do-ip6 disable does not stop AAAA lookups,
7012 - iana portlist updated.
7015 - iana portlist updated.
7016 - Patch from Hannes Frederic Sowa for Linux 3.15 fragmentation
7018 - Document that dump_requestlist only prints queries from thread 0.
7019 - unbound-control stats prints num.query.tcpout with number of TCP
7021 - Fix #567: unbound lists if forward zone is secure or insecure with
7024 - Fix #554: use unsigned long to print 64bit statistics counters on
7026 - Fix #558: failed prefetch lookup does not remove cached response
7028 - Fix #545: improved logging, the ip address of the error is printed
7029 on the same log-line as the error.
7032 - Fix #574: make test fails on Ubuntu 14.04. Disabled remote-control
7034 - iana portlist updated.
7037 - C.ROOT-SERVERS.NET has an IPv6 address, and we updated the root
7039 - Fix #572: Fix unit test failure for systems with different
7043 - Fix #569: do_tcp is do-tcp in unbound.conf man page.
7046 - Patch from Stuart Henderson to build unbound-host man from .1.in.
7049 - Fix print filename of encompassing config file on read failure.
7052 - tag 1.4.22
7053 - trunk has 1.4.23 in development.
7056 - Fix bug#561: contrib/cacti plugin did not report SERVFAIL rcodes
7060 - tag 1.4.22rc1
7063 - iana portlist updated.
7066 - Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is
7068 existence in 4592. NSEC empty non-terminals exist and thus the
7074 - Works on Minix (3.2.1).
7077 - Fix parse of #553(NSD) string in sldns, quotes without spaces.
7080 - iana portlist updated.
7081 - add body to ifstatement if locks disabled.
7082 - add TXT string"string" test case to unit test.
7083 - Fix #551: License change "Regents" to "Copyright holder", matching
7087 - sldns has type HIP.
7088 - code documentation on the module interface.
7091 - Fix sldns parse tests on osx.
7094 - Detect libevent2 install automatically by configure.
7095 - Fixup link with lib/event2 subdir.
7096 - Fix parse in sldns of quoted parenthesized text strings.
7099 - unit test for ldns wire to str and back with zones, root, nlnetlabs
7101 - Fix for hex to string in unknown, atma and nsap.
7102 - fixup nss compile (no ldns in it).
7103 - fixup warning in unitldns
7104 - fixup WKS and rdata type service to print unsigned because strings
7106 - fixup type EUI48 and EUI64, type APL and type IPSECKEY in string
7110 - delay-close does not act if there are udp-wait queries, so that
7114 - iana portlist updated.
7115 - iana portlist test updated so it does not touch the source
7117 - delay-close: msec option that delays closing ports for which
7120 is open so that no port-denied ICMPs are generated.
7123 - reuseport is attempted, then fallback to without on failure.
7126 - Change unbound-event.h to use void* buffer, length idiom.
7127 - iana portlist updated.
7128 - unbound-event.h is installed if you configure --enable-event-api.
7129 - speed up unbound (reports say it could be up to 10%), by reducing
7131 - so-reuseport: yesno option to distribute queries evenly over
7133 - made lint clean.
7136 - Fix #547: no trustanchor written if filesystem full, fclose checked.
7139 - Fix isprint() portability in sldns, uses unsigned int.
7140 - iana portlist updated.
7143 - fix #544: Fixed +i causes segfault when running with module conf
7145 - Windows port, adjust %lld to %I64d, and warning in win_event.c.
7148 - iana portlist updated.
7151 - Fix bug in cachedump that uses sldns.
7152 - update pythonmod for ldns_ to sldns_ name change.
7155 - Fix sldns to use sldns_ prefix for all ldns_ variables.
7156 - Fix windows compile to compile with sldns.
7159 - Fix sldns to make globals use sldns_ prefix. This fixes
7163 - Fix bug#537: compile python plugin without ldns library.
7166 - Fix bug#536: acl_deny_non_local and refuse_non_local added.
7169 - Patch from Neel Goyal to fix async id assignment if callback
7171 - Accept ip-address: as an alternative for interface: for
7172 consistency with nsd.conf syntax.
7175 - Patch from Neel Goyal to fix callback in libunbound.
7178 - if configured --with-libunbound-only fix make install.
7181 - Fix #531: Set SO_REUSEADDR so that the wildcard interface and a
7184 - iana portlist update.
7185 - separate ldns into core ldns inside ldns/ subdirectory. No more
7186 --with-ldns is needed and unbound does not rely on libldns.
7187 - portability fixes for new USE_SLDNS ldns subdir codebase.
7190 - Patch from Neel Goyal: Add an API call to set an event base on an
7196 - Fix #528: if very high logging (4 or more) segfault on allow_snoop.
7199 - unbound-event.h is installed if configured --with-libevent. It
7200 contains low-level library calls, that use libevent's event_base
7205 - 1.4.21 tag created.
7206 - trunk has 1.4.22 number inside it.
7207 - iana portlist updated.
7208 - acx_nlnetlabs.m4 to 26; improve FLTO help text.
7211 - Fix#524: max-udp-size not effective to non-EDNS0 queries, from
7215 - MIN_TTL and MAX_TTL also in time_t.
7216 - tag 1.4.21rc1 made again.
7219 - More fixes for bug#519: for the threaded case test if the bg
7223 - more fixes that I overlooked.
7224 - review fixes from Willem.
7227 - Fix#520: Errors found by static analysis from Tomas Hozza(redhat).
7230 - Fix for 2038, with time_t instead of uint32_t.
7233 - Fix#519 ub_ctx_delete may hang in some scenarios (libunbound).
7236 - Fix uninit variable in fix#516.
7239 - Fix#516 dnssec lameness detection for answers that are improper.
7242 - tag 1.4.21rc1
7245 - Fix#512 memleak in testcode for testbound (if it fails).
7246 - Fix#512 NSS returned arrays out of setup function to be statics.
7249 - max include of 100.000 files (depth and globbed at one time).
7251 - iana portlist updated.
7254 - streamtcp man page, contributed by Tomas Hozza.
7255 - iana portlist updated.
7256 - libunbound documentation on how to avoid openssl race conditions.
7259 - Squelch sendto-permission denied errors when the network is
7261 - configure --disable-flto option (from Robert Edmonds).
7264 - Fix for const string literals in C++ for libunbound, from Karel
7266 - iana portlist updated.
7269 - Fixup manpage syntax.
7272 - get_option and set_option support for log-time-ascii, python-script
7273 val-sig-skew-min and val-sig-skew-max. log-time-ascii takes effect
7277 - get_option, set_option, unbound-checkconf -o and libunbound
7278 getoption and setoption support cache-min-ttl and cache-max-ttl.
7281 - Fix#501: forward-first does not recurse, when forward name is ".".
7282 - iana portlist update.
7283 - Max include depth is unlimited.
7286 - Update acx_pthreads.m4 to ax_pthreads.4 (2013-03-29), and apply
7287 patch to it to not fail when -Werror is also specified, from the
7288 autoconf-archives.
7289 - iana portlist update.
7292 - Explain bogus and secure flags in libunbound more.
7295 - Fix#499 use-after-free in out-of-memory handling code (thanks Jake
7297 - Fix#500 use on non-initialised values on socket bind failures.
7300 - Fix round-robin doesn't work with some Windows clients (from Ilya
7304 - update acx_nlnetlabs.m4 to v23, sleep w32 fix.
7307 - add unbound-control insecure_add and insecure_remove for the
7311 - Implement max-udp-size config option, default 4096 (thanks
7313 - Robust checks on dname validity from rdata for dname compare.
7314 - updated iana portlist.
7317 - Fixup snprintf return value usage, fixed libunbound_get_option.
7320 - fix bug #491: pick program name (0th argument) as syslog identity.
7321 - own implementation of compat/snprintf.c.
7324 - Fix so that for a configuration line of include: "*.conf" it is not
7326 - unbound-anchor review: BIO_write can return 0 successfully if it
7330 - Fix queries leaking up for stubs and forwards, if the configured
7334 - code improve for minimal responses, small speed increase.
7337 - updated iana portlist.
7338 - Fix crash in previous private address fixup of 22 March.
7341 - Make reverse zones easier by documenting the nodefault statements
7342 commented-out in the example config file.
7345 - more fixes to lookup3.c endianness detection.
7348 - #492: Fix endianness detection, revert to older lookup3.c detection
7354 - Fix resolve of names that use a mix of public and private addresses.
7355 - iana portlist update.
7356 - Fix makedist for new svn for -d option.
7357 - unbound.h header file has UNBOUND_VERSION_MAJOR define.
7358 - Fix windows RSRC version for long version numbers.
7361 - release 1.4.20
7362 - trunk has 1.4.21
7363 - committed libunbound version 4:1:2 for binary API updated in 1.4.20
7364 - install copy of unbound-control.8 man page for unbound-control-setup
7367 - iana portlist update.
7368 - tag 1.4.20rc1
7371 - Fixup makedist.sh for windows compile.
7374 - iana portlist update.
7375 - testcode/ldns-testpkts.c check for makedist is informational.
7378 - fix defines in lookup3 for bigendian bsd alpha
7381 - Fixup openssl_thread init code to only run if compiled with SSL.
7384 - detect endianness in lookup3 on BSD.
7385 - add libunbound.ttl at end of result structure, version bump for
7388 - update iana port list.
7391 - includes and have_ssl fixes for nss.
7394 - printout name of zone with duplicate fwd and hint errors.
7397 - updated fwd_zero for newer nc. Updated common.sh for newer netstat.
7400 - unbound-anchors checks the emailAddress of the signer of the
7403 - update iana port list.
7406 - Test that unbound-control checks client credentials.
7407 - Test that unbound can handle a CNAME at an intermediate node in
7409 - Check the commonName of the signer of the root.xml file in
7410 unbound-anchor, default is dnssec@iana.org.
7413 - Fix openssl lock free on exit (reported by Robert Fleischman).
7414 - iana portlist updated.
7415 - Tested that unbound implements the RFC5155 Technical Errata id 3441.
7420 - Fix unbound-anchor xml parse of entity declarations for safety.
7423 - iana portlist updated.
7426 - iana portlist updated.
7429 - Change of D.ROOT-SERVERS.NET A address in default root hints.
7432 - 1.4.19 release.
7433 - trunk has 1.4.20 under development.
7436 - note support for AAAA RR type RFC.
7439 - 1.4.19rc1 tag.
7442 - bug 481: fix python example0.
7443 - iana portlist updated.
7446 - iana portlist updated.
7449 - Fix unbound-control forward disables configured stubs below it.
7452 - Fixup ldns-testpkts, identical to ldns/examples.
7453 - iana portlist updated.
7456 - Fix bug #477: unbound-anchor segfaults if EDNS is blocked.
7459 - Fix validation for responses with both CNAME and wildcard
7463 - update ldns-testpkts.c to ldns 1.6.14 version.
7464 - fix build of pythonmod in objdir, for unbound.py.
7465 - make clean and makerealclean remove generated python and docs.
7468 - fix build of pythonmod in objdir (thanks Jakob Schlyter).
7471 - fix text in unbound-anchor man page.
7474 - ignore trusted-keys globs that have no files (from Paul Wouters).
7477 - include: directive in config file accepts wildcards. Patch from
7478 Paul Wouters. Suggested use: include: "/etc/unbound.d/conf.d/*"
7479 - unbound-control -q option is quiet, patch from Mariano Absatz.
7480 - iana portlist updated.
7481 - updated contrib/unbound.spec, patch from Valentin Bud.
7484 - chdir to / after chroot call (suggested by Camiel Dobbelaar).
7487 - patch_rsamd5_enable.diff: this patch enables RSAMD5 validation
7494 - RFC6725 deprecates RSAMD5: this DNSKEY algorithm is disabled.
7495 - iana portlist updated.
7498 - Nicer comments outgoing-port-avoid, thanks Stu (bug #465).
7501 - Fallback to 1472 and 1232, one fragment size without headers.
7504 - Fix timeouts so that when a server has been offline for a while
7509 - Add documentation to libunbound for default nonuse of resolv.conf.
7512 - trunk has 1.4.19 under development (fixes from 1 aug and 31 july
7514 - iana portlist updated.
7517 - Fix openssl race condition, initializes openssl locks, reported
7521 - Improved forward-first and stub-first documentation.
7522 - Fix that enables modules to register twice for the same
7525 - Fix forward-first option where it sets the RD flag wrongly.
7526 - added manpage links for libunbound calls (Thanks Paul Wouters).
7529 - tag 1.4.18rc2 (became 1.4.18 release at 2 august 2012).
7532 - unbound-host works with libNSS
7533 - fix bogus nodata cname chain not reported as bogus by validator,
7537 - iana portlist updated.
7538 - tag 1.4.18rc1.
7541 - review fix for libnss, check hash prefix allocation size.
7544 - fix missing break for GOST DS hash function.
7545 - implemented forward_first for the root.
7548 - Fix bug#452 and another assertion failure in mesh.c, makes
7553 - Fix bug#454: Remove ACX_CHECK_COMPILER_FLAG from configure.ac,
7554 if CFLAGS is specified at configure time then '-g -O2' is not
7558 - Fix libunbound report of errors when in background mode.
7561 - updated iana ports list.
7564 - Add flush_bogus option for unbound-control
7567 - Fix validation of qtype DS queries that result in no data for
7568 non-optout NSEC3 zones.
7571 - compile libunbound with libnss on Suse, passes regression tests.
7574 - FIPS_mode openssl does not use arc4random but RAND_pseudo_bytes.
7577 - updated iana ports list.
7580 - patch for unbound_munin_ script to handle arbitrary thread count by
7584 - detect if openssl has FIPS_mode.
7585 - code review: return value of cache_store can be ignored for better
7587 - fix edns-buffer-size and msg-buffer-size manpage documentation.
7588 - updated iana ports list.
7591 - disable RSAMD5 if in FIPS mode (for openssl and for libnss).
7594 - implement DS records, NSEC3 and ECDSA for compile with libnss.
7597 - fix error handling of alloc failure during rrsig verification.
7598 - nss check for verification failure.
7599 - nss crypto works for RSA and DSA.
7602 - work on --with-nss build option (for now, --with-libunbound-only).
7605 - --with-libunbound-only build option, only builds the library and
7609 - code review.
7612 - implement log-time-ascii on windows.
7613 - The key-cache bad key ttl is now 60 seconds.
7614 - updated iana ports list.
7615 - code review.
7618 - bug #452: fix crash on assert in mesh_state_attachment.
7621 - silence warning from swig-generated code (md set but not used in
7622 swig initmodule, due to ifdefs in swig-generated code).
7625 - Fix debian-bugs-658021: Please enable hardened build flags.
7628 - updated iana ports list.
7631 - tag for 1.4.17 release.
7632 - trunk is 1.4.18 in development.
7635 - Review comments, removed duplicate memset to zero in delegpt.
7638 - Updated doc/FEATURES with RFCs that are implemented but not listed.
7639 - Protect if statements in val_anchor for compile without locks.
7640 - tag for 1.4.17rc1.
7643 - fix configure ECDSA support in ldns detection for windows compile.
7644 - fix possible uninitialised variable in windows pipe implementation.
7647 - Fix alignment problem in util/random on sparc64/freebsd.
7650 - Fix for accept spinning reported by OpenBSD.
7651 - iana portlist updated.
7654 - Fix validation of nodata for DS query in NSEC zones, reported by
7658 - ECDSA support (RFC 6605) by default. Use --disable-ecdsa for older
7662 - Applied patch from Daisuke HIGASHI for rrset-roundrobin and
7663 minimal-responses features.
7664 - iana portlist updated.
7667 - fix bug #443: --with-chroot-dir not honoured by configure.
7668 - fix bug #444: setusercontext was called too late (thanks Bjorn
7672 - fix bug #442: Fix that Makefile depends on pythonmod headers
7673 even using --without-pythonmodule.
7676 - contrib/validation-reporter follows rotated log file (patch from
7680 - new approach to NS fetches for DS lookup that works with
7684 - iana portlist updated.
7685 - fix to locate nameservers for DS lookup with NS fetches.
7688 - Patch for access to full DNS packet data in unbound python module
7692 - Applied line-buffer patch from Augie Schwer to validation.reporter.sh.
7695 - flush_infra cleans timeouted servers from the cache too.
7696 - removed warning from --enable-ecdsa.
7699 - forward-first option. Tries without forward if a query fails.
7700 Also stub-first option that is similar.
7703 - Fix from code review, if EINPROGRESS not defined chain if statement
7707 - Fix bug#434: on windows check registry for config file location
7708 for unbound-control.exe, and unbound-checkconf.exe.
7711 - Fix to squelch 'network unreachable' errors from tcp connect in
7715 - iter_hints is now thread-owned in module env, and thus threadsafe.
7716 - Fix prefetch and sticky NS, now the prefetch works. It picks
7723 - Fix forward-zone memory, uses malloc and frees original root dp.
7724 - iter hints (stubs) uses malloc inside for more dynamicity.
7725 - unbound-control forward_add, forward_remove, stub_add, stub_remove
7727 they can also add and remove domain-insecure for the zone.
7730 - Fix sticky NS (ghost domain problem) if prefetch is yes.
7731 - iter forwards uses malloc inside for more dynamicity.
7734 - RT#2955. Fix for cygwin compilation.
7735 - iana portlist updated.
7738 - Slightly smaller critical region in one case in infra cache.
7739 - Fix timeouts to keep track of query type, A, AAAA and other, if
7741 - unit test fix for nomem_cnametopos.rpl race condition.
7744 - Fix AHX_BROKEN_MEMCMP for autoheader mess up of #undef in config.h.
7747 - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This
7750 been assigned). Needs recent ldns with --enable-ecdsa.
7751 - fix memory leak in errorcase for DSA signatures.
7752 - iana portlist updated.
7753 - workaround for openssl 0.9.8 ecdsa sha2 and evp problem.
7756 - fix for windows, rename() is not posix compliant on windows.
7759 - 1.4.16 release tag.
7760 - svn trunk is 1.4.17 in development.
7761 - iana portlist updated.
7764 - Fix validation failures (like: validation failure xx: no NSEC3
7766 because of a bug in the TTL-fix in 1.4.15, it picked the wrong rdata
7770 - Fix version-number in libtool to be version-info so it produces
7774 - Tag 1.4.15 (same as 1.4.15rc1), for 1.4.15 release.
7775 - trunk 1.4.16; includes changes memset testcode, #424 openindiana,
7777 - applied patch to support outgoing-interface with ub_ctx_set_option.
7780 - Fix memset in test code.
7783 - Fix bug #424: compile on OpenIndiana OS with gcc 4.6.2.
7786 - Fix to write key files completely to a temporary file, and if that
7790 - tag 1.4.15rc1 created
7791 - updated libunbound/ubsyms.def and remade tag 1.4.15rc1.
7794 - Fix bug where canonical_compare of RRSIG did not downcase the
7795 signer-name. This is mostly harmless because RRSIGs do not have
7799 - bug#428: add ub_version() call to libunbound. API version increase,
7803 - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
7806 - iana portlist updated.
7807 - uninitialised variable in reprobe for rtt blocked domains fixed.
7808 - lintfix and new flex output.
7811 - Fix to randomize hash function, based on 28c3 congress, reported
7815 - Fix for memory leak (about 20 bytes when a tcp or udp send operation
7819 - iana portlist updated.
7822 - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
7824 http://www.unbound.net/downloads/CVE-2011-4528.txt
7825 - robust checks for next-closer NSEC3s.
7826 - tag 1.4.14 created.
7827 - trunk has 1.4.15 in development.
7830 - remove uninit warning from cachedump code.
7831 - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.
7834 - iana portlist updated.
7835 - svn tag 1.4.14rc1
7836 - fix infra cache comparison.
7837 - Fix to constrain signer_name to be a parent of the lookupname.
7840 - Fix getaddrinfowithincludes on windows with fedora16 mingw32-gcc.
7841 - Fix warnings with gcc 4.6 in compat/inet_ntop.c.
7842 - Fix warning unused in compat/strptime.c.
7843 - Fix malloc detection and double definition.
7846 - configure generated with autoconf 2.68.
7849 - Fix for tcp-upstream and ssl-upstream for if a laptop sleeps, causes
7853 - Fix quartile time estimate, it was too low, (thanks Jan Komissar).
7854 - iana ports updated.
7857 - Makefile compat with SunOS make, BSD make and GNU make.
7858 - iana ports updated.
7861 - Makefile changed for BSD make compatibility.
7864 - added unit test for SSL service and SSL-upstream.
7867 - can configure ssl service to one port number, and not on others.
7868 - fixup windows compile with ssl support.
7869 - Fix double free in unbound-host, reported by Steve Grubb.
7870 - iana portlist updated.
7873 - dns over ssl support as a client, ssl-upstream yes turns it on.
7875 - documentation for new options: ssl-upstream, ssl-service-key and
7876 ssl-service.pem.
7877 - iana portlist updated.
7878 - fix -flto detection on Lion for llvm-gcc.
7881 - dns over ssl support, ssl-service-pem and ssl-service-key files
7885 - lame-ttl and lame-size options no longer exist, it is integrated
7888 - fix iana-update for changing gzip compression of results.
7889 - fix export-all-symbols on OSX.
7892 - iana portlist updated.
7893 - Infra cache stores information about ping and lameness per IP, zone.
7895 - fix iana_update target for gzipped file on iana site.
7898 - Fix resolve of partners.extranet.microsoft.com with a fix for the
7901 - Fix make_new_space function so that the incoming query is not
7907 - fix --enable-allsymbols, fptr wlist is disabled on windows with this
7911 - fix unbound-anchor for broken strptime on OSX lion, detected
7913 - Detect if GOST really works, openssl1.0 on OSX fails.
7914 - Implement ipv6%interface notation for scope_id usage.
7917 - better documentation for inform_super (Thanks Yang Zhe).
7920 - Fix for out-of-memory condition in libunbound (thanks
7924 - Fix --enable-allsymbols, it depended on link specifics of the
7928 - updated contrib/unbound_munin_ to family=auto so that it works with
7929 munin-node-configure automatically (if installed as
7933 - unbound.exe -w windows option for start and stop service.
7936 - TCP-upstream calculates tcp-ping so server selection works if there
7940 - Fix classification of NS set in answer section, where there is a
7941 parent-child server, and the answer has the AA flag for dir.slb.com.
7945 - fix bug #408: accept patch from Steve Snyder that comments out
7947 - iana portlist updated.
7948 - fix EDNS1480 change memleak and TCP fallback.
7949 - fix various compiler warnings (reported by Paul Wouters).
7950 - max sent count. EDNS1480 only for rtt < 5000. No promiscuous
7957 - release 1.4.13.
7958 - trunk contains 1.4.14 in development.
7959 - Unbound probes at EDNS1480 if there an EDNS0 timeout.
7962 - Reverted dns EDNS backoff fix, it did not help and needs
7964 - tag 1.4.13rc2
7967 - Fix operation in ipv6 only (do-ip4: no) mode.
7970 - fedora specfile updated.
7973 - tag 1.4.13rc1
7976 - iana portlist updated.
7979 - Fix num-threads 0 does not segfault, reported by Simon Deziel.
7980 - Fix validation failures due to EDNS backoff retries, the retry
7988 - Applied patch from Karel Slany that fixes a memory leak in the
7992 - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
7998 - Fix that internally, CNAMEs with NXDOMAIN have that as rcode.
7999 - Documented the options that work with control set_option command.
8000 - tcp-upstream yes/no option (works with set_option) for tunnels.
8003 - fix autoconf call in makedist crosscompile to RC or snapshot.
8006 - Fix validation of . DS query.
8007 - new xml format at IANA, new awk for iana_update.
8008 - iana portlist updated.
8011 - Fix python site-packages path to /usr/lib64.
8012 - updated patch from Tom.
8013 - fix memory and fd leak after out-of-memory condition.
8016 - patch from Tom Hendrikx fixes load of python modules.
8019 - make clean had ldns-src reference, removed.
8022 - Fix autoconf 2.68 warnings
8025 - Unbound implements RFC6303 (since version 1.4.7).
8026 - tag 1.4.12rc1 is released as 1.4.12 (without the other fixes in the
8028 - iana portlist updated.
8031 - Quick fix for contrib/unbound.spec example, no ldns-builtin any more.
8034 - Fix wildcard expansion no-data reply under an optout NSEC3 zone is
8038 - 1.4.12rc1 tag created.
8041 - version number in example config file.
8042 - fix that --enable-static-exe does not complain about it unknown.
8045 - tag relase 1.4.11, trunk is 1.4.12 development.
8046 - iana portlist updated.
8047 - fix bug#395: id bits of other query may leak out under conditions
8048 - fix replyaddr count wrong after jostled queries, which leads to
8050 - fix comment about rndc port, that referred to the old port number.
8051 - fix that the listening socket is not closed when too many remote
8053 - removed ldns-src tarball inside the unbound tarball.
8056 - Changed -flto check to support clang compiler.
8057 - tag 1.4.11rc3 created.
8060 - tag 1.4.11rc1 created.
8061 - remove warning about signed/unsigned from flex (other flex version).
8062 - updated aclocal.m4 and libtool to match.
8063 - tag 1.4.11rc2 created.
8066 - log-queries: yesno option, default is no, prints querylog.
8067 - version is 1.4.11.
8070 - Use -flto compiler flag for link time optimization, if supported.
8071 - iana portlist updated.
8074 - IPv6 service address for d.root-servers.net (2001:500:2D::D).
8077 - unbound-control has version number in the header,
8079 - Unbound control port number is registered with IANA:
8080 ub-dns-control 8953/tcp unbound dns nameserver control
8081 This is the new default for the control-port config setting.
8082 - statistics-interval prints the number of jostled queries to log.
8085 - Fix Makefile for U in environment, since wrong U is more common than
8087 - iana portlist updated.
8088 - updated ldns tarball to 1.6.10rc2 snapshot of today.
8091 - Fix assertion failure when unbound generates an empty error reply
8092 in response to a query, CVE-2011-1922 VU#531342.
8093 - This fix is in tag 1.4.10.
8094 - defense in depth against the above bug, an error is printed to log
8098 - bug#386: --enable-allsymbols option links all binaries to libunbound
8100 - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
8101 - iana portlist updated.
8102 - Fix TTL of SOA so negative TTL is separately cached from normal TTL.
8105 - configure created with newer autoconf 2.66.
8108 - bug#378: Fix that configure checks for ldns_get_random presence.
8111 - iana portlist updated.
8112 - queries with CD flag set cause DNSSEC validation, but the answer is
8116 - val-override-date: -1 ignores dates entirely, for NTP usage.
8119 - harden-below-nxdomain: changed so that it activates when the
8124 - iana portlist updated.
8125 - release 1.4.9.
8126 - trunk is 1.5.0
8129 - bug#370: new unbound.spec for CentOS 5.x from Harold Jones.
8130 Applied but did not do the --disable-gost.
8133 - tag 1.4.9 release candidate 1 created.
8136 - updated ldns to today.
8139 - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
8140 - give config parse error for multiple names on a stub or forward zone.
8141 - updated ldns tarball to 1.6.9(todays snapshot).
8144 - bug #361: Fix, time.elapsed variable not reset with stats_noreset.
8147 - iana portlist updated.
8148 - common.sh to version 3.
8151 - common.sh in testdata updated to version 2.
8154 - Added explicit note on unbound-anchor usage:
8155 Please note usage of unbound-anchor root anchor is at your own risk
8159 - iana portlist updated.
8160 - tpkg updated with common.sh for common functionality.
8163 - Added regression test for addition of a .net DS to the root, and
8165 - iana portlist updated.
8168 - Fix remove private address does not throw away entire response.
8171 - release 1.4.8
8174 - fix bug#349: no -L/usr for ldns.
8177 - ldns 1.6.8 tarball included.
8178 - release 1.4.8rc1.
8181 - add get and set option for harden-below-nxdomain feature.
8182 - iana portlist updated.
8185 - Fix so a changed NS RRset does not get moved name stuck on old
8189 - Fix prefetch so it does not get stuck on old server for moved names.
8192 - iana portlist updated.
8195 - Fix insecure CNAME sequence marked as secure, reported by Bert
8199 - faster lruhash get_mem routine.
8202 - bug#346: remove ITAR scripts from contrib, the service is discontinued, use the root.
8203 - iana portlist updated.
8206 - Fix in infra cache that could cause rto larger than TOP_TIMEOUT kept.
8209 - algorithm compromise protection using the algorithms signalled in
8211 and thus, if you have multiple algorithms in your trust-anchor-file
8213 for algorithms needs to be double-signature until the old algorithm
8216 - iana portlist updated.
8219 - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
8220 - fix validation in this case: CNAME to nodata for co-hosted opt-in
8224 - Fix our 'BDS' license (typo reported by Xavier Belanger).
8227 - iana portlist updated.
8228 - review changes for unbound-anchor.
8231 - feature typetransparent localzone, does not block other RR types.
8234 - Fix bug#338: print address when socket creation fails.
8237 - Fix storage of EDNS failures in the infra cache.
8238 - iana portlist updated.
8241 - harden-below-nxdomain option, default off (because very old
8246 - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
8247 - make test output nicer.
8250 - silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
8251 - iana portlist updated.
8252 - so-sndbuf option for very busy servers, a bit like so-rcvbuf.
8255 - unbound-anchor compiles with openssl 0.9.7.
8258 - release tag 1.4.7.
8259 - trunk is version 1.4.8.
8260 - Be lenient and accept imgw.pl malformed packet (like BIND).
8263 - do not synthesize a CNAME message from cache for qtype DS.
8266 - Use central entropy to seed threads.
8269 - Change the rtt used to probe EDNS-timeout hosts to 1000 msec.
8272 - tag 1.4.7rc1.
8273 - code review.
8276 - GOST code enabled by default (RFC 5933).
8279 - Fix uninit value in dump_infra print.
8280 - Fix validation failure for parent and child on same server with an
8282 - Configure detects libev-4.00.
8285 - dump_infra and flush_infra commands for unbound-control.
8286 - no timeout backoff if meanwhile a query succeeded.
8287 - Change of timeout code. No more lost and backoff in blockage.
8293 - Configure errors if ldns is not found.
8296 - Windows 7 fix for the installer.
8299 - Fix bug where fallback_tcp causes wrong roundtrip and edns
8302 - new unresponsive host method, exponentially increasing block backoff.
8303 - iana portlist updated.
8306 - interface automatic works for some people with ip6 disabled.
8310 - Fix for request list growth, if a server has long timeout but the
8318 - iana portlist updated.
8321 - Fix TCP so it uses a random outgoing-interface.
8322 - unbound-anchor handles ADDPEND keystate.
8325 - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
8328 - iana portlist updated.
8329 - ldns tarball updated (for reading cachedumps with bad RR data).
8332 - test for unbound-anchor. fix for reading certs.
8333 - Fix alloc_reg_release for longer uptime in out of memory conditions.
8336 - unbound-anchor working, it creates or updates a root.key file.
8340 - iana portlist updated.
8343 - bug#329: in example.conf show correct ipv4 link-local 169.254/16.
8346 - unbound-anchor app, unbound requires libexpat (xml parser library).
8349 - compliance with draft-ietf-dnsop-default-local-zones-14, removed
8351 - iana portlist updated.
8354 - DLV has downgrade protection again, because the RFC says so.
8355 - iana portlist updated.
8358 - Algorithm rollover operational reality intrudes, for trust-anchor,
8359 5011-store, and DLV-anchor if one key matches it's good enough.
8360 - iana portlist updated.
8361 - Fix reported validation error in out of memory condition.
8364 - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
8367 - increased mesh-max-activation from 1000 to 3000 for crazy domains
8369 - iana portlist updated.
8372 - bug#327: Fix for cannot access stub zones until the root is primed.
8375 - unresponsive servers are not completely blacklisted (because of
8378 - iana portlist updated.
8381 - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
8387 - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
8390 - example.conf notes how to do DNSSEC validation and track the root.
8391 - iana portlist updated.
8394 - Fix bug#322: configure does not respect CFLAGS on Solaris.
8395 Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
8396 if use sun-cc, but some systems need different flags.
8399 - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
8401 - make test (or make check) should be more portable and run the unit
8405 - More pleasant remote control command parsing.
8406 - documentation added for return values reported by doxygen 1.7.1.
8407 - iana portlist updated.
8410 - Fix name of rrset printed that failed validation.
8413 - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
8416 - Fix validation in case a trust anchor enters into a zone with
8420 - updated ldns tarball with bugfixes.
8421 - release tag 1.4.6.
8422 - trunk becomes 1.4.7 develop.
8423 - iana portlist updated.
8426 - more error details on failed remote control connection.
8429 - rlimit adjustments for select and ulimit can happen at the same time.
8432 - Donation text added to README.
8433 - Fix integer underflow in prefetch ttl creation from cache. This
8437 - Changed the defaults for num-queries-per-thread/outgoing-range.
8438 For builtin-select: 512/960, for libevent 1024/4096 and for
8444 - GOST enabled if SSL is recent and ldns has GOST enabled too.
8445 - ldns tarball updated.
8448 - iana portlist updated.
8449 - Fix validation of qtype DNSKEY when a key-cache entry exists but
8450 no rr-cache entry is used (it expired or prefetch), it then goes
8451 back up to the DS or trust-anchor to validate the DNSKEY.
8454 - Neat function prototypes, unshadowed local declarations.
8457 - failure to chown the pidfile is not fatal any more.
8458 - testbound uses UTC timezone.
8459 - ldns tarball updated (ports and works on Minix 3.1.7). On Minix, add
8463 - log if a server is skipped because it is on the donotquery list,
8465 - added feature to print configure date, target and options with -h.
8466 - added feature to print event backend system details with -h.
8467 - wdiff is not actually required by make test, updated requirements.
8470 - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
8475 - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
8482 - Fix the max number of reply-address count to be applied for duplicate
8487 - Fix handling of corner case reply from lame server, follows rfc2308.
8489 for a non-lame server turned up other misconfigured servers.
8490 - unbound.h has extern "C" statement for easier include in c++.
8493 - iana portlist updated.
8494 - makedist upgraded cross compile openssl option, like this:
8495 ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost
8498 - Unbound reports libev or libevent correctly in logs in verbose mode.
8499 - Fix to unload gost dynamic library module for leak testing.
8502 - iana portlist updated.
8505 - Add AAAA to root hints for I.ROOT-SERVERS.NET.
8508 - Fix assertion failure reported by Kai Storbeck from XS4ALL, the
8510 - updated ldns tarball.
8513 - tag 1.4.5 created.
8514 - trunk contains 1.4.6 in development.
8515 - Fix TCPreply on systems with no writev, if just 1 byte could be sent.
8516 - Fix to use one pointer less for iterator query state store_parent_NS.
8517 - makedist crosscompile to windows uses builtin ldns not host ldns.
8518 - Max referral count from 30 to 130, because 128 one character domains
8520 - added documentation for the histogram printout to syslog.
8523 - When retry to parent the retrycount is not wiped, so failed
8525 - iana portlist updated.
8528 - Fix bug where a long loop could be entered, now cycle detection
8529 has a loop-counter and maximum search amount.
8532 - iana portlist updated.
8533 - 1.4.5rc1 tag created.
8536 - ldns tarball updated, 1.6.5.
8537 - review comments, split dependency cycle tracking for parentside
8541 - Fix compile warning if compiled without threads.
8542 - updated ldns-tarball with current ldns svn (pre 1.6.5).
8543 - GOST disabled-by-default, the algorithm number is allocated but the
8547 - Ignore Z flag in incoming messages too.
8548 - Fix storage of negative parent glue if that last resort fails.
8549 - libtoolize 2.2.6b, autoconf 2.65 applied to configure.
8550 - new splint flags for newer splint install.
8553 - Fix AD flag handling, it could in some cases mistakenly copy the AD
8555 - alloc_special_obtain out of memory is not a fatal error any more,
8557 - parentside names are dispreferred but not said to be dnssec-lame.
8558 - parentside check for cached newname glue.
8559 - fix parentside and querytargets modulestate, for dump_requestlist.
8560 - unbound-control-setup makes keys -rw-r--- so not all users permitted.
8561 - fix parentside from cache to be marked dispreferred for bad names.
8564 - iana portlist updated.
8565 - parent-child disagreement approach altered. Older fixes are
8569 parent if possible. Additionally the loop-counter is used.
8578 - Contribution from Migiel de Vos (Surfnet): nagios patch for
8579 unbound-host, in contrib/ (in the source tarball). Makes
8580 unbound-host suitable for monitoring dnssec(-chain) status.
8583 - EDNS timeout code will not fire if EDNS status already known.
8584 - EDNS failure not stored if EDNS status known to work.
8587 - Fix resolution for domains like safesvc.com.cn. If the iterator
8592 - Fix comments in iter_utils:dp_is_useless.
8595 - Fix various compiler warnings from the clang llvm compiler.
8596 - iana portlist updated.
8599 - Fix bug#308: spelling error in variable name in parser and lexer.
8602 - Fix dnssec-missing detection that was turned off by server selection.
8603 - Conforms to draft-ietf-dnsop-default-local-zones-13. Added default
8604 reverse lookup blocks for IPv4 test nets 100.51.198.in-addr.arpa,
8605 113.0.203.in-addr.arpa and Orchid prefix 0.1.1.0.0.2.ip6.arpa.
8608 - Fix for dnssec lameness detection to use the key cache.
8609 - infra cache entries that are expired are wiped clean. Previously
8613 - ldns tarball updated and GOST support is detected and then enabled.
8614 - iana portlist updated.
8615 - Fix detection of gost support in ldns (reported by Chris Smith).
8618 - unbound-control get_option domain-insecure shows config file items.
8619 - fix retry sequence if prime hints are recursion-lame.
8620 - autotrust anchor file can be initialized with a ZSK key as well.
8621 - harden-referral-path does not result in failures due to max-depth.
8622 You can increase the max-depth by adding numbers (' 0') after the
8623 target-fetch-policy, this increases the depth to which is checked.
8626 - Compile fix using Sun Studio 12 compiler on Solaris 5.9, use
8628 - if libev is installed on the base system (not libevent), detect
8629 it from the event.h header file and link with -lev.
8630 - configlexer.lex gets config.h, and configyyrename.h added by make,
8632 - More strict scrubber (Thanks to George Barwood for the idea):
8634 - Fix bug#307: In 0x20 backoff fix fallback so the number of
8635 outstanding queries does not become -1 and block the request.
8636 Fixed handling of recursion-lame in combination with 0x20 fallback.
8638 comparison fails, this makes it work around round-robin sites.
8641 - Squelch log message: sendto failed permission denied for
8643 - Fix to fetch data as last resort more tenaciously. When cycle
8646 - Fix fetch from blacklisted dnssec lame servers as last resort. The
8648 - Fix local-zone type redirect that did not use the query name for
8652 - tag 1.4.4.
8653 - trunk contains 1.4.5 in development.
8654 - Fix validation failure for qtype ANY caused by a RRSIG parse failure.
8658 - more portability defines for CMSG_SPACE, CMSG_ALIGN, CMSG_LEN.
8659 - tag 1.4.4rc1.
8662 - ECC-GOST algorithm number 12 that is assigned by IANA. New test
8663 example key and signatures for GOST. GOST requires openssl-1.0.0.
8667 - Fix bug#305: pkt_dname_tolower could read beyond end of buffer or
8670 - Fix chain of trust with CNAME at an intermediate step, for the DS
8674 - Fix validation of queries with wildcard names (*.example).
8677 - Fix EDNS probe for .de DNSSEC testbed failure, where the infra
8681 - GOST support with correct algorithm numbers.
8684 - iana portlist updated.
8687 - unbound control flushed items are not counted when flushed again.
8690 - iana portlist updated.
8693 - unbound-host disables use-syslog from config file so that the
8695 - fix bug#301: unbound-checkconf could not parse interface
8699 - fix fwd_ancil test to pass if the socket options are not supported.
8702 - Fixed random numbers for port, interface and server selection.
8704 - Refer to the listing in unbound-control man page in the extended
8705 statistics entry in the unbound.conf man page.
8708 - Fix interface-automatic for OpenBSD: msg.controllen was too small,
8710 - check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
8711 - for NSEC3 check if signatures are cached.
8714 - unit test for util/regional.c.
8717 - Reordered configure checks so fork and -lnsl -lsocket checks are
8719 - iana portlist updated.
8720 - ldns tarball updated.
8721 - Fix python use when multithreaded.
8722 - Fix solaris python compile.
8723 - Include less in config.h and include per code file for ldns, ssl.
8726 - another memory allocation option: --enable-alloc-nonregional.
8728 - fix for memory alignment in struct sock_list allocation.
8729 - Fix for MacPorts ldns without ssl default, unbound checks if ldns
8731 - Fix daemonize on Solaris 10, it did not detach from terminal.
8732 - tag 1.4.3 created.
8733 - trunk is 1.4.4 in development.
8734 - spelling fix in validation error involving cnames.
8737 - --enable-alloc-lite works with test set.
8738 - portability in the testset: printf format conversions, prototypes.
8741 - tag 1.4.2 created.
8742 - trunk is 1.4.3 in development.
8743 - --enable-alloc-lite debug option.
8746 - iana portlist updated.
8749 - Fix crash in control channel code.
8752 - better casts in pipe code, brackets placed wrongly.
8753 - iana portlist updated.
8756 - make install depends on make all.
8757 - Fix 5011 auto-trust-anchor-file initial read to skip RRSIGs.
8758 - --enable-checking: enables assertions but does not look nonproduction.
8759 - nicer VERB_DETAIL (verbosity 2, unbound-host -d) output, with
8761 - ldns tarball updated.
8762 - --disable-rpath fixed for libtool not found errors.
8763 - new fedora specfile from Fedora13 in contrib from Paul Wouters.
8766 - Fixup prototype for lexer cleanup in daemon code.
8767 - unbound-control list_stubs, list_forwards, list_local_zones and
8771 - Fix scrubber bug that potentially let NS records through. Reported
8773 - Also delete potential poison references from additional.
8774 - Fix: no classification of a forwarder as lame, throw away instead.
8777 - libunbound ub_ctx_get_option() added.
8778 - unbound-control set_option and get_option commands.
8779 - iana portlist updated.
8782 - A little more strict DS scrubbing.
8783 - No more blacklisting of unresponsive servers, a 2 minute timeout
8785 - RD flag not enabled for dnssec-blacklisted tries, unless necessary.
8786 - pickup ldns compile fix, libdl for libcrypto.
8787 - log 'tcp connect: connection timed out' only in high verbosity.
8788 - unbound-control log_reopen command.
8789 - moved get_option code from unbound-checkconf to util/config_file.c
8792 - Disregard DNSKEY from authority section for chain of trust.
8793 DS records that are irrelevant to a referral scrubbed. Anti-poison.
8794 - iana portlist updated.
8797 - Check for 'no space left on device' (or other errors) when
8801 - Fixed the requery protection, the TTL was 0, it is now 900 seconds,
8807 - Re-query pattern changed on validation failure. To protect troubled
8814 - ldns tarball update for long label length syntax error fix.
8815 - iana portlist updated.
8818 - Fixup in compat snprintf routine, %f 1.02 and %g support.
8819 - include math.h for testbound test compile portability.
8822 - Updated url of IANA itar, interim trust anchor repository, in script.
8825 - iana portlist updated.
8826 - configure test for memcmp portability.
8829 - removed warning on format string in validator error log statement.
8830 - iana portlist updated.
8833 - libtool finish the install of unbound python dynamic library.
8836 - acx_nlnetlabs.m4 synchronised with nsd's version.
8839 - Fixup lookup trouble for parent-child domains on the first query.
8842 - Fixup ldns detection to also check for header files.
8845 - prefetch-key option that performs DNSKEY queries earlier in the
8850 - Fix unbound-checkconf for auto-trust-anchor-file present checks.
8853 - Fix for parent-child disagreement code which could have trouble
8855 were different. There were two bugs, the parent-side information
8859 - test and fixes to make prefetch actually store the answer in the
8864 - Fixup python documentation (thanks Leo Vandewoestijne).
8865 - Work on cache prefetch feature.
8866 - Stats for prefetch, in log print stats, unbound-control stats
8870 - iana portlist updated.
8871 - bug#291: DNS wireformat max is 255. dname_valid allowed 256 length.
8872 - verbose output includes parent-side-address notion for lameness.
8873 - documented val-log-level: 2 setting in example.conf and man page.
8874 - change unbound-control-setup from 1024(sha1) to 1536(sha256).
8877 - iana portlist updated.
8880 - configure with newer libtool 2.2.6b.
8883 - review comments.
8884 - tag 1.4.1.
8885 - trunk to version 1.4.2.
8888 - Answer to qclass=ANY queries, with class IN contents.
8890 - updated ldns snapshot tarball with latest fixes (parsing records).
8893 - on IPv4 UDP turn off DF flag.
8896 - requirements.txt updated with design choice explanations.
8897 - Reading fixes: fix to set unlame when child confirms parent glue,
8899 - verify_rrsig routine checks expiration last.
8902 - Fix Bug#287(reopened): update of ldns tarball with fix for parse
8904 - Fix SOA excluded from negative DS responses. Reported by Hauke
8908 - Fix negative cache lookup of closestencloser check of DS type bit.
8911 - Fix for lookup of parent-child disagreement domains, where the
8912 parent-side glue works but it does not provide proper NS, A or AAAA
8914 - Feature: you can specify a port number in the interface: line, so
8918 - Bug#287: Fix segfault when unbound-control remove nonexistent local
8922 - Fix crash with module-config "iterator".
8923 - Added unit test that has "iterator" module-config.
8926 - bug#284: fix parse of # without end-of-line at end-of-file.
8929 - updated ldns with release candidate for version 1.6.3.
8930 - tag for 1.4.0 release.
8931 - 1.4.1 version in trunk.
8932 - Fixup major libtool version to 2 because of why_bogus change.
8936 - Patch from David Hubbard for libunbound manual page.
8937 - Fixup endless spinning in unbound-control stats reported by
8941 - contrib/split-itar.sh contributed by Tom Hendrikx.
8944 - better argument help for unbound-control.
8945 - iana portlist updated.
8948 - noted multiple entries for multiple domain names in example.conf.
8949 - iana portlist updated.
8952 - Fixed signer detection of CNAME responses without signatures.
8953 - Fix#282 libunbound memleak on error condition by Eric Sesterhenn.
8954 - Tests for CNAMEs to deeper trust anchors, secure and bogus.
8955 - svn tag 1.4.0rc1 made.
8958 - Fixed validation failure for CNAME to optout NSEC3 nodata answer.
8959 - unbound-host does not fail on type ANY.
8960 - Fixed wireparse failure to put RRSIGs together with data in some
8964 - iana portlist updated.
8965 - fix manpage errors reported by debian lintian.
8966 - review comments.
8967 - fixup very long vallog2 level error strings.
8970 - ldns tarball updated (to 1.6.2).
8971 - review comments.
8974 - Thanks to Surfnet found bug in new dnssec-retry code that failed
8976 - Fixed unbound-control -h output about argument optionality.
8977 - review comments.
8980 - lint fixes and portability tests.
8981 - better error text for multiple domain keys in one autotrust file.
8984 - Fix bug where autotrust does not work when started with a DS.
8985 - Updated GOST unit tests for unofficial algorithm number 249
8986 and DNSKEY-format changes in draft version -01.
8989 - iana portlist updated.
8990 - edns-buffer-size option, default 4096.
8991 - fixed do-udp: no.
8994 - removed abort on prealloc failure, error still printed but softfail.
8995 - iana portlist updated.
8996 - RFC 5702: RSASHA256 and RSASHA512 support enabled by default.
8997 - ldns tarball updated (which also enables rsasha256 support).
9000 - iana portlist updated.
9003 - please doxygen
9004 - add val-log-level print to corner case (nameserver.epost.bg).
9005 - more detail to errors from insecure delegation checks.
9006 - Fix double time subtraction in negative cache reported by
9008 - Made new validator error string available from libunbound for
9009 applications. It is in result->why_bogus, a zero-terminated string.
9010 unbound-host prints it by default if a result is bogus.
9014 - retry for validation failure in DS and prime results. Less mem use.
9016 - retry for validation failure in DNSKEY in middle of chain of trust.
9018 - retry for empty non terminals in chain of trust and unit test.
9019 - Fixed security bug where the signatures for NSEC3 records were not
9022 - moved version number to 1.4.0 because of 1.3.4 release with only
9024 - val-log-level: 2 shows extended error information for validation
9032 - Test set updated to provide additional ns lookup result.
9037 - first validation failure retry code. Retries for data failures.
9041 - improve 5011 modularization.
9042 - fix unbound-host so -d can be given before -C.
9043 - iana portlist updated.
9046 - autotrust-anchor-file can read multiline input and $ORIGIN.
9047 - prevent integer overflow in holddown calculation. review fixes.
9048 - fixed race condition in trust point revocation. review fix.
9049 - review fixes to comments, removed unused code.
9052 - so-rcvbuf: 4m option added. Set this on large busy servers to not
9054 netstat -su keeps a counter of UDP dropped due to full buffers.
9055 - review of validator/autotrust.c, small fixes and comments.
9058 - 5011 query failed counts verification failures, not lookup failures.
9059 - 5011 probe failure handling fixup.
9060 - test unbound reading of original autotrust data.
9061 The metadata per-key, such as key state (PENDING, MISSING, VALID) is
9065 - autotrust test with algorithm rollover, new ordering of checks
9067 - autotrust test with algorithm rollover to unknown algorithm.
9069 - autotrust test with trust point revocation, becomes unsigned.
9070 - fix DNSSEC-missing-signature detection for minimal responses
9074 - autotrust tests, fix trustpoint timer deletion code.
9076 - autotrust: pick up REVOKE even if not signed with known other keys.
9079 - fix compile of unbound-host when --enable-alloc-checks.
9080 - Fix lookup problem reported by Koh-ichi Ito and Jaap Akkerhuis.
9081 - Manual page fixes reported by Tony Finch.
9084 - Fix memory leak reported by Tao Ma.
9085 - Fix memstats test tool for log-time-ascii log format.
9088 - iana portlist updated.
9091 - increased MAXSYSLOGLEN so .bg key can be printed in debug output.
9092 - use linebuffering for log-file: output, this can be significantly
9098 - Fix bug where DNSSEC-bogus messages were marked with too high TTL.
9101 - regression test for that bug.
9102 - documented that load_cache is meant for debugging.
9105 - fixup printing errors when load_cache, they were printed to the
9107 - new ldns - with fixed parse of large SOA values.
9110 - autotrust testbound scenarios.
9111 - autotrust fix that failure count is written to file.
9112 - autotrust fix that keys may become valid after add holddown time
9116 - Changes to make unbound work with libevent-2.0.3 alpha. (in
9118 - do not call sphinx for documentation when python is disabled.
9119 - remove EV_PERSIST from libevent timeout code to make the code
9120 compatible with the libevent-2.0. Works with older libevent too.
9121 - fix memory leak in python code.
9124 - Got a patch from Luca Bruno for libunbound support on windows to
9126 - included ldns updated (enum warning fixed).
9127 - makefile fix for parallel makes.
9128 - Patch from Zdenek Vasicek and Attila Nagy for using the source IP
9130 - doxygen comment fixes.
9133 - TRAFFIC keyword for testbound. Simplifies test generation.
9135 - test with 5011-prepublish rollover and revocation.
9136 - fix revocation of RR for autotrust, stray exclamation mark.
9139 - testbound variable arithmetic.
9140 - autotrust probe time is randomised.
9141 - autotrust: the probe is active and does not fetch from cache.
9144 - testbound variable processing.
9147 - fixup unbound-control lookup to print forward and stub servers.
9150 - autotrust: mesh answer callback is empty.
9153 - autotrust probing.
9154 - iana portlist updated.
9157 - fixup memleak in trust anchor unsupported algorithm check.
9158 - iana portlist updated.
9159 - autotrust options: add-holddown, del-holddown, keep-missing.
9160 - autotrust store revoked status of trust points.
9161 - ctime_r compat definition.
9162 - detect yylex_destroy() in configure.
9163 - detect SSL_get_compression_methods declaration in configure.
9164 - fixup DS lookup at anchor point with unsigned parent.
9165 - fixup DLV lookup for DS queries to unsigned domains.
9168 - cleaner memory allocation on exit. autotrust test routines.
9169 - free all memory on program exit, fix for ssl and flex.
9172 - autotrust: debug routines. Read,write and conversions work.
9175 - autotrust: save and read trustpoint variables.
9178 - autotrust: state table updates.
9179 - iana portlist updated.
9182 - autotrust: process events.
9185 - Fix so that servers are only blacklisted if they fail to reply
9187 - autotrust work, split up DS verification of DNSKEYs.
9190 - unbound-control lookup prints out infra cache information, like RTT.
9191 - Fix bug in DLV lookup reported by Amanda from Secure64.
9196 - autotrust read anchor files. locked trust anchors.
9199 - autotrust import work.
9202 - Check for openssl compatible with gost if enabled.
9203 - updated unit test for GOST=211 code.
9205 - iana portlist updated.
9208 - call OPENSSL_config() in unbound and unit test so that the
9210 - removed small memory leak from config file reader.
9213 - configure --enable-gost for GOST support, experimental
9214 implementation of draft-dolmatov-dnsext-dnssec-gost-01.
9215 - iana portlist updated.
9216 - ldns tarball updated (with GOST support).
9219 - trunk moved to 1.3.4.
9222 - Added test that the examples from draft rsasha256-14 verify.
9223 - iana portlist updated.
9224 - tagged 1.3.3
9227 - nicer warning when algorithm not supported, tells you to upgrade.
9228 - iana portlist updated.
9231 - Updated unbound-cacti contribution from Dmitriy Demidov, with
9233 - iana portlist updated.
9236 - Fix bug found by Michael Tokarev where unbound would try to
9239 - tagged 1.3.3rc1
9242 - Fix server selection, so that it waits for open target queries when
9246 - Ignore transient sendto errors, no route to host, and host, net down.
9247 - contrib/update-anchor.sh has -r option for root-hints.
9248 - feature val-log-level: 1 prints validation failures so you can
9252 - fix replacement malloc code. Used in crosscompile.
9253 - makedist -w creates crosscompiled setup.exe on fedora11.
9256 - dependencies for compat items, for crosscompile.
9257 - mingw32 crosscompile changes, dependencies and zipfile creation.
9259 - package libgcc_s_sjlj exception handler for NSISdl.dll.
9262 - updated ldns tarball for solaris x64 compile assistance.
9263 - no need to define RAND_MAX from config.h.
9264 - iana portlist updated.
9265 - configure changes and ldns update for mingw32 crosscompile.
9268 - Fix for crash at start on windows.
9269 - tag for release 1.3.2.
9270 - trunk has version 1.3.3.
9271 - Fix for ID bits on windows to use all 16. RAND_MAX was not
9275 - tag for release 1.3.1.
9276 - trunk has version 1.3.2.
9279 - iana portlist updated.
9282 - prettier error handling in SSL setup.
9283 - makedist.sh uname fix (same as ldns).
9284 - updated fedora spec file.
9287 - fixup linking when ldnsdir is "".
9290 - more lenient truncation checks.
9293 - ldns trunk r2959 imported as tarball, because of solaris cc compile
9295 - better wrongly_truncated check.
9296 - On Linux, fragment IPv6 datagrams to the IPv6 minimum MTU, to
9300 - Fix EDNS fallback when EDNS works for short answers but long answers
9304 - fixup iter priv strict aliasing while preserving size of sockaddr.
9305 - iana portlist updated. (one less port allocated, one more fraction
9307 - updated fedora specfile in contrib from Paul Wouters.
9310 - Fixup strict aliasing warning in iter priv code.
9312 - iana portlist updated.
9313 - harden-referral-path: handle cases where NS is in answer section.
9316 - Fix of message parse bug where (specifically) an NSEC and RRSIG
9319 - Extreme lenience for wrongly truncated replies where a positive
9322 - autoconf 2.63 for configure.
9323 - python warnings suppress. Keep python API away from header files.
9326 - CREDITS entry for cz.nic, sponsoring a 'summer of code' that was
9330 - Fixup opportunistic target query generation to it does not
9332 - Touchup on munin total memory report.
9333 - messages picked out of the cache by the iterator are checked
9338 - iana portlist updated.
9341 - Fixed bug where cached responses would lose their security
9346 - bug #254. removed random whitespace from example.conf.
9349 - Fixup potential wrong NSEC picked out of the cache.
9350 - If unfulfilled callbacks are deleted they are called with an error.
9351 - fptr wlist checks for mesh callbacks.
9352 - fwd above stub in configuration works.
9355 - Fix queries for type DS when forward or stub zones are there.
9361 - Added build-unbound-localzone-from-hosts.pl to contrib, from
9363 - same thing fixed for forward-zone and DS, chain of trust from
9364 public internet into the forward-zone works now. Added unit test.
9367 - openssl key files are opened apache-style, when user is root and
9368 before chrooting. This makes permissions on remote-control key
9370 - flush_type and flush_name remove msg cache entries.
9371 - codereview - dp copy bogus setting fix.
9374 - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause
9376 - 1.3.0 tarball for release created.
9377 - 1.3.1 development in svn trunk.
9378 - iana portlist updated.
9379 - fix lint from complaining on ldns/sha.h.
9380 - help compiler figure out aliasing in priv_rrset_bad() routine.
9381 - fail to configure with python if swig is not found.
9382 - unbound_munin_ in contrib uses ps to show rss if sbrk does not work.
9385 - fixup bad free() when wrongly encoded DSA signature is seen.
9387 - review comments from Matthijs.
9390 - --enable-sha2 option. The draft rsasha256 changed its algorithm
9393 - ldns trunk included as new tarball.
9394 - recreated the 1.3.0 tag in svn. rc1 tarball generated at this point.
9397 - fixup doc bug in README reported by Matthew Dempsky.
9400 - update iana port list
9401 - update ldns lib tarball
9404 - detect lack of IPv6 support on XP (with a different error code).
9405 - Fixup a crash-on-exit which was triggered by a very long queue.
9406 Unbound would try to re-use ports that came free, but this is
9410 - change in debug statements.
9411 - Fixed bug that could cause a crash if root prime failed when there
9415 - Thanks again to Brett Carr, found an assertion that was not true.
9419 - Thanks to Brett Carr, caught windows resource leak, use
9422 - Removed usage of windows Mutex because windows cannot handle enough
9426 - created svn tag for 1.3.0.
9429 - optimised cname from cache.
9430 - ifdef windows functions in testbound.
9433 - fix for threadsafety in solaris thr_key_create() in tests.
9434 - iana portlist updated.
9435 - fix pylib test for Darwin.
9436 - fix pymod test for Darwin and a python threading bug in pymod init.
9437 - check python >= 2.4 in configure.
9438 - -ldl check for libcrypto 1.0.0beta.
9441 - fix for build outside sourcedir.
9442 - fix for configure script swig detection.
9445 - Fix reentrant in minievent handler for unix. Could have resulted
9447 - timers do not take up a fd slot for winsock handler.
9448 - faster fix for winsock reentrant check.
9449 - fix rsasha512 unit test for new (interim) algorithm number.
9450 - fix test:ldns doesn't like DOS line endings in keyfiles on unix.
9451 - fix compile warning on ubuntu (configlexer fwrite return value).
9452 - move python include directives into CPPFLAGS instead of CFLAGS.
9455 - winsock event handler exit very quickly on signal, even if
9457 - iana portlist updated.
9458 - fixup windows winsock handler reentrant problem.
9461 - bug #245: fix munin plugin, perform cleanup of stale lockfiles.
9462 - makedist.sh; better help text.
9463 - cache-min-ttl option and tests.
9464 - mingw detect error condition on TCP sockets (NOTCONN).
9467 - Fix for removal of RSASHA256_NSEC3 protonumber from ldns.
9468 - ldns tarball updated.
9469 - iana portlist update.
9470 - detect GOST support in openssl-1.0.0-beta1, and fix compile problem
9474 - windows compile fix.
9475 - Detect FreeBSD jail without ipv6 addresses assigned.
9476 - python libunbound wrapper unit test.
9477 - installs the following files. Default is to not build them.
9478 from configure --with-pythonmodule:
9479 /usr/lib/python2.x/site-packages/unboundmodule.py
9480 from configure --with-pyunbound:
9481 /usr/lib/python2.x/site-packages/unbound.py
9482 /usr/lib/python2.x/site-packages/_unbound.so*
9485 - python invalidate routine respects packed rrset ids and locks.
9486 - clock skew checks in unbound, config statements.
9487 - nxdomain ttl considerations in requirements.txt
9490 - Fixed a bug that caused messages to be stored in the cache too
9493 - documentation test fixed for python addition.
9496 - pyunbound (libunbound python plugin) compiles using libtool.
9497 - documentation for pythonmod and pyunbound is generated in doc/html.
9498 - iana portlist updated.
9499 - fixed bug in unbound-control flush_zone where it would not flush
9502 - python module test package.
9505 - suppress errors when trying to contact authority servers that gave
9509 - new libunbound calls documented.
9510 - pyunbound in libunbound/python. Removed compile warnings.
9514 - Fixup LDFLAGS from libevent sourcedir compile configure restore.
9515 - Fixup so no non-absolute rpaths are added.
9516 - Fixup validation of RRSIG queries, they are let through.
9517 - read /dev/random before chroot
9518 - checkconf fix no python checks when no python module enabled.
9519 - fix configure, pthread first, so other libs do not change outcome.
9522 - nicer -h output. report linked libraries and modules.
9523 - prints modules in intuitive order (config file friendly).
9524 - python compiles easily on BSD.
9527 - ignore swig varargs warnings with gcc.
9528 - remove duplicate example.conf text from python example configs.
9529 - outofdir compile fix for python.
9530 - pyunbound works.
9531 - print modules compiled in on -h. manpage.
9534 - initial import of the python contribution from Zdenek Vasicek and
9536 - pythonmod in Makefile; changes to remove warnings/errors for 1.3.0.
9539 - more neat configure.ac. Removed duplicate config.h includes.
9540 - neater config.h.in.
9541 - iana portlist updated.
9542 - fix util/configlexer.c and solaris -std=c99 flag.
9543 - fix postcommit aclocal errors.
9544 - spaces stripped. Makefile cleaner, /usr omitted from -I, -L, -R.
9545 - swap order of host detect and libtool generation.
9548 - added launchd plist example file for MacOSX to contrib.
9549 - deprecation test for daemon(3).
9550 - moved common configure actions to m4 include, prettier Makefile.
9553 - bug #239: module-config entries order is important. Documented.
9554 - build fix for test asynclook.
9557 - winrc/README.txt dos-format text file.
9558 - iana portlist updated.
9559 - use _beginthreadex() when available (performs stack alignment).
9560 - defaults for windows baked into configure.ac (used if on mingw).
9563 - Added tests, unknown algorithms become insecure. fallback works.
9564 - Fix for and test for unknown algorithms in a trust anchor
9568 - domain-insecure: "example.com" statement added. Sets domain
9570 of a trust-anchor.
9573 - unit test for unsupported algorithm in anchor warning.
9574 - fixed so queries do not fail on opportunistic target queries.
9577 - fixup diff error printout in contrib/update-itar.sh.
9578 - added contrib/unbound_cacti for statistics support in cacti,
9582 - doxygen and lex/yacc on linux.
9583 - strip update-anchor on makedist -w.
9584 - fix testbound on windows.
9585 - default log to syslog for windows.
9586 - uninstaller can stop unbound - changed text on it to reflect that.
9587 - remove debugging from windows 'cron' actions.
9590 - log to App.logs on windows prints executable identity.
9591 - fixup tests.
9592 - munin plugin fix benign locking error printout.
9593 - anchor-update for windows, called every 24 hours; unbound reloads.
9596 - winsock event handler resets WSAevents after signalled.
9597 - winsock event handler tests if signals are really signalled.
9598 - install and service with log to file works on XP and Vista on
9600 - on windows logging to the Application logbook works (as a service).
9601 - fix RUN_DIR on windows compile setting in makedist.
9602 - windows registry has Software\Unbound\ConfigFile element.
9603 If does not exist, the default is used. The -c switch overrides it.
9604 - fix makedist version cleanup function.
9607 - makedist -w strips out old rc.. and snapshot info from version.
9608 - setup.exe starts and stops unbound after install, before uninstall.
9609 - unbound-checkconf recognizes absolute pathnames on windows (C:...).
9612 - Nullsoft NSIS installer creation script.
9615 - fixup memory leak introduced on 18feb in mesh reentrant fix.
9618 - combined icon with 16x16(4) 32x32(4) 48x48(8) 64x64(8).
9619 - service works on xp/vista, no config necessary (using defaults).
9620 - windows registry settings.
9623 - fixup --export-symbols to be -export-symbls for libtool.
9626 - iana portlist updated.
9627 - document FAQ entry on stub/forward zones and default blocking.
9628 - fix asynclook test app for libunbound not exporting symbols.
9629 - service install and remove utils that work with vista UAC.
9632 - Fixup lexer, to not give warnings about fwrite. Appeared in
9634 - makedistro functionality for mingw. Has RC support.
9635 - support spaces and backslashes in configured defaults paths.
9636 - register, deregister in service control manager.
9639 - windres usage for application resources.
9642 - isc moved their dlv key download location.
9643 - fixup warning on vista/mingw.
9644 - makedist -w for window zip distribution first version.
9647 - Fixup contrib/update-itar.sh, the exit codes 1 and 0 were swapped.
9648 Nicer script layout. Added url to site in -h output.
9651 - unbound-checkconf and unbound print warnings when trust anchors
9653 - added contrib/update-itar.sh This script is similar to
9654 update-anchor.sh, and updates from the IANA ITAR repository.
9657 - iana portlist updated.
9658 - update-itar.sh: using ftp:// urls because https godaddy certificate
9663 - more cycle detection. Also for target queries.
9664 - fixup bug where during deletion of the mesh queries the callbacks
9668 - iana portlist updated.
9671 - forwarder information now per-thread duplicated.
9673 - forward command for unbound control to change forwarders to use
9675 - document that unbound-host reads no config file by default.
9676 - updated iana portlist.
9679 - call setusercontext if available (on BSD).
9680 - small refactor of stats clearing.
9681 - #227: flush_stats feature for unbound-control.
9682 - stats_noreset feature for unbound-control.
9683 - flush_requestlist feature for unbound-control.
9684 - libunbound version upped API (was changed 5 feb).
9685 - unbound-control status shows if root forwarding is in use.
9686 - slightly nicer memory management in iter-fwd code.
9689 - keys with rfc5011 REVOKE flag are skipped and not considered when
9691 - iana portlist updated
9692 - #226: dump_requestlist feature for unbound-control.
9695 - contrib contains specfile for fedora 1.2.1 (from Paul Wouters).
9696 - iana portlist updated.
9697 - fixup EOL in include directive (reported by Paul Wouters).
9699 - config parser changed. Gives some syntax errors closer to where they
9702 - verbosity level 5 logs customer IP for new requestlist entries.
9703 - test fix, lexer and cancel test.
9704 - new option log-time-ascii: yes if you enable it prints timestamps
9706 - detect event_base_new in libevent-1.4.1 and later and use it.
9707 - #231 unbound-checkconf -o option prints that value from config file.
9711 - ldns 1.5.0 rc as tarball included.
9712 - 1.3.0 development continues:
9720 - MacOSX Leopard cleaner text output from configure.
9721 - initgroups(3) is called to drop secondary group permissions, if
9723 - configure option --with-ldns-builtin forces the use of the
9724 inluded ldns package with the unbound source. The -I include
9727 - daemon(3) posix call is used when available.
9728 - testbound test for older fix added.
9731 - tag for release 1.2.1.
9732 - trunk setup for 1.3.0 development.
9735 - noted feature requests in doc/TODO.
9736 - printout more detailed errors on ssl certificate loading failures.
9737 - updated IANA portlist.
9740 - more quiet about ipv6 network failures, i.e. when ipv6 is not
9743 - unbound-host -4 and -6 options. Stops annoying ipv6 errors when
9744 debugging with unbound-host -4 -d ...
9745 - more cycle detection for NS-check, addr-check, root-prime and
9746 stub-prime queries in the iterator. Avoids possible deadlock
9750 - bug #229: fixup configure checks for compilation with Solaris
9752 - fixup suncc warnings.
9753 - fix bug where unbound could crash using libevent 1.3 and older.
9754 - update testset for recent retry change.
9757 - 1.2.1 feature: negative caching for failed queries.
9760 - the TTL comparison for the cache used different comparisons,
9763 - retry from 4 to 5 so that EDNS drop retry is part of the first
9765 - remove debug prints that protect against bad referrals.
9766 - honor QUIET=no on make commandline (or QUIET=yes ).
9769 - fixed bug in lameness marking, removed printouts.
9770 - find NS rrset more cleanly for qtype NS.
9771 - Moved changes to 1.2.0 for release. Thanks to Mark Zealey for
9773 - 1.2.1 feature: stops resolving AAAAs promiscuously when they
9777 - fixed bug in infrastructure lameness cache, did not lowercase
9779 - lameness debugging printouts.
9782 - created svn tag for 1.2.0 release.
9783 - svn trunk contains 1.2.1 version number.
9784 - iana portlist updated for todays list.
9785 - removed debug print.
9788 - new version of ldns-trunk (today) included as tarball, fixed
9789 bug #224, building with -j race condition.
9790 - remove possible race condition in the test for race conditions.
9793 - version 1.2.0 in preparation.
9794 - feature to allow wildcards (*, ?, [], {}. ~) in trusted-keys-file
9796 - typo fix and iana portlist updated.
9797 - porting testsuite; unused var warning, and type fixup.
9800 - fixup packet-of-death when compiled with --enable-debug.
9802 - added test for HINFO canonicalisation behaviour.
9803 - fixup reported problem with transparent local-zone data where
9807 - HINFO no longer downcased for validation, making unbound compatible
9809 - fix reading included config files when chrooted.
9812 - fix libunbound message transport when no packet buffer is available.
9815 - fixup getaddrinfo failure handling for remote control port.
9816 - added L.ROOT-SERVERS.NET. AAAA 2001:500:3::42 to builtin root hints.
9817 - fixup so it works with libev-3.51 from http://dist.schmorp.de/libev/
9818 - comm_timer_set performs base_set operation after event_add.
9821 - fixed bug reported by Duane Wessels: error in DLV lookup, would make
9823 - follows -rc makedist from ldns changes (no _rc).
9824 - ldns tarball updated with 1.4.1rc for DLV unit test.
9825 - verbose prints about recursion lame detection and server selection.
9826 - fixup BSD port for infra host storage. It hashed wrongly.
9827 - fixup makedist snapshot name generation.
9828 - do not reopen syslog to avoid dev/log dependency.
9831 - follows ldns makedist.sh. -rc option. autom4te dir removed.
9832 - unbound-control status command.
9833 - extended statistics has a number of ipv6 queries counter.
9837 - follow makedist improvements from ldns, for maintainers prereleases.
9838 - snapshot version uses _ not - to help rpm distinguish the
9842 - better fix for bug #219: use LOG_NDELAY with openlog() call.
9846 - bug #221 fixed: unbound checkconf checks if key files exist if
9848 - iana portlist updated.
9851 - Fix problem reported by Jaco Engelbrecht where unbound-control stats
9854 - iana portlist updated.
9855 - test for remote control with interprocess communication.
9856 - created command distribution mechanism so that remote control
9859 - fixup remote control local_data addition memory corruption bug.
9862 - SElinux policy files in contrib/selinux for the unbound daemon,
9866 - configure complains when --without-ssl is given (bug #220).
9867 - skip unsupported feature tests on vista/mingw.
9868 - fixup testcode/streamtcp to work on vista/mingw.
9869 - root-hints test checks version of dig required.
9870 - blacklisted servers are polled at a low rate (1%) to see if they
9874 - document that the user of the server daemon needs read privileges
9875 on the keys and certificates generated by unbound-control-setup.
9878 i.e. sudo -u unbound unbound-control-setup
9879 - testset port to vista/mingw.
9880 - tcp_sigpipe to freebsd port.
9883 - fixed tcp accept, errors were printed when they should not.
9884 - unbound-control-setup.sh removes read/write permissions other
9888 - fixup fatal error due to faulty error checking after tcp accept.
9889 - add check in rlimit to avoid integer underflow.
9890 - rlimit check with new formula; better estimate for number interfaces
9891 - nicer comments in rlimit check.
9892 - tag 1.1.1 created in svn.
9893 - trunk label is 1.1.2
9896 - bug #219: fixed so that syslog which delays opening until the first
9900 - iana portlist updated.
9901 - removed cast in unit test debug print that was not 64bit safe.
9902 - trunk back to 1.1.0; copied to tags 1.1.0 release.
9903 - trunk to has version number 1.1.1 again.
9904 - in 1.1.1; make clean nicer. grammar in manpage.
9907 - theoretical fix for problems reported on mailing list.
9908 If a delegation point has no A but only AAAA and do-ip6 is no,
9912 - test for above, only AAAA and doip6 is no. Fix causes A record
9914 - fixup address duplication on cache fillup for delegation points.
9915 - testset updated for new query answer requirements.
9918 - created 1.1.0 release tag in svn.
9919 - trunk moved to 1.1.1
9920 - fixup unittest-neg for locking.
9923 - added fedora init and specfile to contrib (by Paul Wouters).
9924 - added configure check for ldns 1.4.0 (using its compat funcs).
9925 - neater comments in worker.h.
9926 - removed doc/plan and updated doc/TODO.
9927 - silenced EHOSTDOWN (verbosity 2 or higher to see it).
9928 - review comments from Jelte, Matthijs. Neater code.
9931 - add unbound-control manpage to makedist replace list.
9934 - unit test for negative cache, stress tests the refcounting.
9935 - fix for refcounting error that could cause fptr_wlist fatal exit
9938 - nicer comments in cachedump about failed RR to string conversion.
9939 - fix 32bit wrap around when printing large (4G and more) mem usage
9943 - fixup the getaddrinfo compat code rename.
9946 - added configure check for eee build warning.
9949 - fix bug 217: fixed, setreuid and setregid do not work on MacOSX10.4.
9950 - detect nonblocking problems in network stack in configure script.
9953 - dname_priv must decompress the name before comparison.
9954 - iana portlist updated.
9957 - fixed possible memory leak in key_entry_key deletion.
9959 - if query and reply qname overlap, the bytes are skipped not copied.
9960 - fixed file descriptor leak when messages were jostled out that
9962 - DNAMEs used from cache have their synthesized CNAMEs initialized
9964 - fixed file descriptor leak for localzone type deny (for TCP).
9965 - fixed memleak at exit for nsec3 negative cached zones.
9966 - fixed memleak for the keyword 'nodefault' when reading config.
9967 - made verbosity of 'edns incapable peer' warning higher, so you
9969 - caught elusive Bad file descriptor error bug, that would print the
9973 - fixed -Wwrite-strings warnings that result in better code.
9976 - fixup build process for Mac OSX linker, use ldns b32 compat funcs.
9977 - generated configure with autoconf-2.61.
9978 - iana portlist updated.
9979 - detect if libssl needs libdl. For static linking with libssl.
9980 - changed to use new algorithm identifiers for sha256/sha512
9982 - updated the included ldns tarball.
9983 - proper detection of SHA256 and SHA512 functions (not just sizes).
9986 - a little more debug info for failure on signer names. prints names.
9989 - CFLAGS are picked up by configure from the environment.
9990 - iana portlist updated.
9991 - updated ldns to use 1.4.0-pre20081022 so it picks up CFLAGS too.
9992 - new stub-prime: yesno option. Default is off, so it does not prime.
9994 - made automated test that checks if builtin root hints are uptodate.
9995 - finished draft-wijngaards-dnsext-resolver-side-mitigation
9996 implementation. The unwanted-reply-threshold can be set.
9997 - fixup so fptr_whitelist test in alloc.c works.
10000 - fix update-anchors.sh, so it does not report different RR order
10002 - fixup testbound on windows, the command control pipe doesn't exist.
10003 - skip 08hostlib test on windows, no fork() available.
10004 - made unbound-remote work on windows.
10007 - quench a log message that is debug only.
10008 - iana portlist updated.
10009 - do not query bogus nameservers. It is like nameservers that have
10011 - if server selection is faced with only bad choices, it will
10013 - changed bogus-ttl default value from 900 to 60 seconds.
10022 - fixup unbound-control compilation on windows.
10025 - port Leopard/G5: fixup type conversion size_t/uint32.
10027 - harden referral path now also validates the root after priming.
10032 - Fixup negative TTL values appearing (reported by Attila Nagy).
10035 - better documentation for 0x20; remove fallback TODO, it is done.
10036 - harden-referral-path feature includes A, AAAA queries for glue,
10038 A, AAAA use the delegation from the NS-query.
10041 - fwd_three.tpkg test was flaky. If the three requests hit the
10044 - stub_udp.tpkg changed to work, give root hints. fixed ldns_dname_abs.
10045 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081014).
10047 - fwd_three test remains flaky now that unbound does not stop
10050 Mostly only useful for lock-check testing now.
10053 - fixed recursion servers deployed as authoritative detection, so
10056 - iana port list update.
10057 - ldns tarball is snapshot of ldns r2759 (1.4.0-pre-20081013).
10060 - fixup tests - the negative cache contained the correct NSEC3s for
10064 - negative cache caps max iterations of NSEC3 done.
10065 - NSEC3 negative cache for qtype DS works.
10068 - NSEC negative cache for DS.
10071 - jostle-timeout option, so you can config for slow links.
10072 - 0x20 fallback code. Tries 3xnumber of nameserver addresses
10074 - documented choices for DoS, EDNS, 0x20.
10077 - fixup unlink of pidfile.
10078 - fixup SHA256 algorithm collation code.
10079 - contrib/update-anchor.sh does not overwrite anchors if not needed.
10081 so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart
10085 - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.
10086 - tests for sha256 support and downgrade resistance.
10087 - RSASHA256 and RSASHA512 support (using the draft in dnsext),
10089 - when using stub on localhost (127.0.0.1@10053) unbound works.
10092 - shorthand for reverse PTR, local-data-ptr: "1.2.3.4 www.ex.com"
10095 - EDNS lameness detection, if EDNS packets are dropped this is
10097 - multiple query timeout rtt backoff does not backoff too much.
10100 - tests for remote-control.
10101 - small memory leak in exception during remote control fixed.
10102 - fixup for lock checking but not unchecking in remote control.
10103 - iana portlist updated.
10106 - Msg cache is loaded. A cache load enables cache responses.
10107 - unbound-control flush [name], flush_type and flush_zone.
10110 - dump_cache and load_cache statements in unbound-control.
10115 - locking on the localdata structure.
10116 - add and remove local zone and data with unbound-control.
10117 - ldns trunk snapshot updated, make tests work again.
10120 - fixup error in time calculation.
10121 - munin plugin improvements.
10122 - nicer abbreviations for high query types values (ixfr, axfr, any...)
10123 - documented the statistics output in unbound-control man page.
10124 - extended statistics prints out histogram, over unbound-control.
10127 - locking for threadsafe bogus rrset counter.
10128 - ldns trunk no longer exports b32 functions, provide compat.
10129 - ldns tarball updated.
10130 - testcode/ldns-testpkts.c const fixups.
10131 - fixed rcode stat printout.
10132 - munin plugin in contrib.
10133 - stats always printout uptime, because stats plugins need it.
10136 - extended-statistics: yesno config option.
10137 - unwanted replies spoof nearmiss detector.
10138 - iana portlist updated.
10141 - working start, stop, reload commands for unbound-control.
10142 - test for unbound-control working; better exit value for control.
10143 - verbosity control via unbound-control.
10144 - unbound-control stats.
10147 - removed browser control mentions. Proto speccy.
10150 - set nonblocking on new TCP streams, because linux does not inherit
10152 - fix TCP timeouts.
10153 - SSL protected connection between server and unbound-control.
10156 - remove memleak in privacy addresses on reloads and quits.
10157 - remote control work.
10160 - smallapp/unbound-control-setup.sh script to set up certificates.
10163 - scrubber scrubs away private addresses.
10164 - test for private addresses. man page entry.
10165 - code refactored for name and address tree lookups.
10168 - options for 'DNS Rebinding' protection: private-address and
10169 private-domain.
10170 - dnstree for reuse of routines that help with domain, addr lookups.
10171 - private-address and private-domain config option read, stored.
10174 - DoS protection features. Queries are jostled out to make room.
10175 - testbound can pass time, increasing the internal timer.
10176 - do not mark unsigned additionals bogus, leave unchecked, which
10180 - disallow nonrecursive queries for cache snooping by default.
10181 You can allow is using access-control: <subnet> allow_snoop.
10183 - two tests for it and fixups of tests for nonrec refused.
10186 - version 1.1 number in trunk.
10187 - harden-referral-path option for query for NS records.
10191 - fixup logfile handling; it is created with correct permissions
10194 and these are only visible by using the -d commandline flag.
10197 - daemon(3) is causing problems for people. Reverting the patch.
10199 - bug#199 fixed: pidfile can be outside chroot. openlog is done before
10201 - config option to set size of aggressive negative cache,
10202 neg-cache-size.
10203 - bug#203 fixed: dlv has been implemented.
10206 - test for insecure zone when DLV is in use, also does negative cache.
10207 - test for trustanchor when DLV is in use (the anchor works).
10208 - test for DLV used for a zone below a trustanchor.
10209 - added scrub filter for overreaching NSEC records and unit test.
10210 - iana portlist update
10211 - use of setresuid or setreuid when available.
10212 - use daemon(3) if available.
10215 - realclean patch from Robert Edmonds.
10218 - nicer debuglogging of DLV.
10219 - test with secure delegation inside the DLV repository.
10222 - negative cache code linked into validator, for DLV use.
10224 - iana portlist update.
10225 - dlv-anchor option for unit tests.
10226 - fixup NSEC_AT_APEX classification for short typemaps.
10227 - ldns-testns has subdomain checks, for unit tests.
10230 - negative cache code, reviewed.
10233 - changes info: in logfile to notice: info: or debug: depending on
10236 - bug #208: extra rc.d unbound flexibility for freebsd/nanobsd.
10239 - DLV nsec code fixed for better detection of closest existing
10241 - DLV works, straight to the dlv repository, so not for production.
10242 - Iana port update.
10245 - synthesize DLV messages from the rrset cache, like done for DS.
10248 - bug #203: nicer do-auto log message when user sets incompatible
10250 - bug #204: variable name ameliorated in log.c.
10251 - bug #206: in iana_update, no egrep, but awk use.
10252 - ldns snapshot r2699 taken (includes DLV type).
10253 - DLV work, config file element, trust anchor read in.
10256 - finished adjusting testset to provide qtype NS answers.
10259 - Fixup rrset security updates overwriting 2181 trust status.
10262 - Fix assertion fail on bogus key handling.
10263 - dnssec lameness detection works on first query at trust apex.
10264 - NS queries get proper cache and dnssec lameness treatment.
10265 - fixup compilation without pthreads on linux.
10268 - NS queries are done after every referral.
10272 - Scrubber more strict. CNAME chains, DNAMEs from cache, other
10274 - 1.0.2 released from 1.0 support branch.
10275 - fixup update-anchor.sh to work both in BSD shell and bash.
10278 - fixup DS test so apex nodata works again.
10281 - iana port update.
10282 - TODO update.
10283 - fix bug 201: null ptr deref on cleanup while udp pkts wait for port.
10284 - added explanatory text for outgoing-port-permit in manpage.
10287 - fixup bug qtype DS for unsigned zone and signed parent validation.
10290 - added original copyright statement of OpenBSD arc4random code.
10291 - created tube signaling solution on windows, as a pipe replacement.
10293 - removed very insecure socketpair compat code. It also did not
10295 - unbound -h prints openssl version number as well.
10298 - moved pipe actions to util/tube.c. easier porting and shared code.
10299 - check _raw() commpoint callbacks with fptr_wlist.
10300 - iana port update.
10303 - #198: nicer entropy warning message. manpage OS hints.
10306 - #198: fixup man page to suggest chroot entropy fix.
10309 - branch for 1.0 support.
10310 - trunk work on tube.c.
10313 - fix bug #196, compile outside source tree.
10314 - fix bug #195, add --with-username=user configure option.
10315 - print error and exit if started with config that requires more
10319 - made svn tag 1.0.1, trunk now 1.0.2
10320 - sha256 checksums enabled in makedist.sh
10323 - Follow draft-ietf-dnsop-default-local-zones-06 added reverse
10325 - fixup lookup of DS records by client with trustanchor for same.
10326 - libunbound ub_resolve, fix handling of error condition during setup.
10327 - lowered log_hex blocksize to fit through BSD syslog linesize.
10328 - no useless initialisation if getpwnam not available.
10329 - iana, ldns snapshot updated.
10332 - Matthijs fixed memory leaks in root hints file reading.
10335 - fixup streamtcp bounds setting for udp mode, in the test framework.
10336 - contrib item for updating trust anchors.
10339 - fixup fwd_ancil test typos.
10340 - Fix for newegg lameness : ok for qtype=A, but lame for others.
10341 - fixup unit test for infra cache, test lame merging.
10342 - porting to mingw, bind, listen, getsockopt and setsockopt error
10346 - removed testcode/checklocks from production code compilation path.
10347 - streamtcp can use UDP mode (connected UDP socket), for testing IPv6
10349 - fwd_ancil test fails if platform support is lacking.
10352 - fixup minitpkg to cleanup on windows with its file locking troubles.
10353 - minitpkg shows skipped tests in report.
10354 - skip ipv6 tests on ipv4 only hosts (requires only ipv6 localhost not
10356 - winsock event handler keeps track of sticky TCP events, that have
10359 - skip tests that need signals when testing on mingw.
10362 - open testbound replay files in binary mode, because fseek/ftell
10363 do not work in ascii-mode on windows. The b does nothing on unix.
10365 - ioctlsocket prints nicer error message.
10366 - fixed up some TCP porting for winsock.
10367 - lack of IPv6 gives a warning, no fatal error.
10368 - use WSAGetLastError() on windows instead of errno for some errors.
10371 - outgoing num fds 32 by default on windows ; it supports less
10373 - winsock_event minievent handler for windows. (you could also
10375 - neater crypto check and gdi32 detection.
10376 - unbound.exe works to resolve and validate www.nlnetlabs.nl on vista.
10379 - on windows, use windows threads, mutex and thread-local-storage(Tls).
10380 - detect if openssl needs gdi32.
10381 - if no threading, THREADS_DISABLED is defined for use in the code.
10382 - sets USE_WINSOCK if using ws2_32 on windows.
10383 - wsa_strerror() function for more readable errors.
10384 - WSA Startup and Cleanup called in unbound.exe.
10387 - port mingw32, more signal ifdefs, detect sleep, usleep,
10389 - signed or unsigned FD_SET is cast.
10392 - fixup warnings compiling on eeepc xandros linux.
10395 - in iteration response type code
10398 * check if no AA bit for non-forwarder, and thus lame zone.
10400 - fixup unput warning from lexer on freeBSD.
10401 - bug#183. pidfile, rundir, and chroot configure options. Also the
10402 example.conf and manual pages get the configured defaults.
10404 --with-conf-file=filename
10405 --with-pidfile=filename
10406 --with-run-dir=path
10407 --with-chroot-dir=path
10410 - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
10412 - iana port updated.
10415 - updated libtool files with newer version.
10416 - iana portlist updated.
10419 - fixup local-zone: "30.172.in-addr.arpa." nodefault, so that the
10423 - Jelte fixed bugs in my absence
10424 - bug 178: fixed unportable shell usage in configure (relied on
10426 - bug 180: fixed buffer overflow in unbound-checkconf use of strncat.
10427 - bug 181: fixed buffer overflow in ldns (called by unbound to parse
10429 - fixes by Wouter
10430 - bug 177: fixed compilation failure on opensuse, the
10431 --disable-static configure flag caused problems. (Patch from
10433 - bug 179: same fix as 177.
10434 - bug 185: --disable-shared not passed along to ldns included with
10440 - update of the ldns tarball to current ldns svn version (fix 181).
10441 - bug 184: -r option for unbound-host, read resolv.conf for
10446 - mingw32 porting.
10447 - test for sys/wait.h
10448 - WSAEWOULDBLOCK test after nonblocking TCP connect.
10449 - write_iov_buffer removed: unused and no struct iov on windows.
10450 - signed/unsigned warning fixup mini_event.
10451 - use ioctlsocket to set nonblocking I/O if fnctl is unavailable.
10452 - skip signals that are not defined
10453 - detect pwd.h.
10454 - detect getpwnam, getrlimit, setsid, sbrk, chroot.
10455 - default config has no chroot if chroot() unavailable.
10456 - if no kill() then no pidfile is read or written.
10457 - gmtime_r is replaced by nonthreadsafe alternative if unavail.
10461 - contrib unbound.spec from Patrick Vande Walle.
10462 - fixup bug#175: call tzset before chroot to have correct timestamps
10464 - do not generate lex input and lex unput functions.
10465 - mingw port. replacement functions labelled _unbound.
10466 - fix bug 174 - check for tcp_sigpipe that ldns-testns is installed.
10469 - fedora 9, check in6_pktinfo define in configure.
10470 - CREDITS fixup of history.
10471 - ignore ldns-1.2.2 if installed, use builtin 1.3.0-pre alternative.
10474 - fixup for MacOSX hosts file reading (reported by John Dickinson).
10475 - created 1.0.0 svn tag.
10476 - trunk version 1.0.1.
10479 - accepted patch from Ondrej Sury for library version libtool option.
10480 - configure --disable-rpath fixes up libtool for rpath trouble.
10484 - Added root ipv6 addresses to builtin root hints.
10485 - TODO modified for post 1.0 plans.
10486 - trunk version set to 1.0.0.
10487 - no unnecessary linking with librt (only when libevent/libev used).
10490 - fixup no-ip4 problem with error callback in outside network.
10493 - DESTDIR is honored by the Makefile for rpms.
10494 - contrib files unbound.spec and unbound.init, builds working RPM
10496 - iana ports update.
10499 - chroot checks improved. working directory relative to chroot.
10501 - nicer example.conf text.
10502 - created 0.11 tag.
10505 - parseunbound.pl contrib update from Kai Storbeck for threads.
10506 - iana ports update
10509 - ignore SIGPIPE.
10510 - unit test for SIGPIPE ignore.
10513 - FEATURES document.
10514 - fixup reread of config file if it was given as a full path
10518 - requirements doc, updated clean query returns.
10519 - parseunbound.pl update from Kai Storbeck.
10520 - sunos4 porting changes.
10523 - fixup default rc.d pidfile location to /usr/local/etc.
10524 - iana ports updated.
10525 - copyright updated in ldns-testpkts to keep same as in ldns.
10526 - fixup checkconf chroot tests a bit more, chdir must be inside
10528 - documented 'gcc: unrecognized -KPIC option' errors on Solaris.
10529 - example.conf values changed to /usr/local/etc/unbound
10530 - DSA test work.
10531 - DSA signatures: unbound is compatible with both encodings found.
10535 - got update for parseunbound.pl statistics script from Kai Storbeck.
10536 - tpkg tests for udp wait list.
10537 - documented 0x20 status.
10538 - fixup chroot and checkconf, it is much smarter now.
10539 - fixup DSA EVP signature decoding. Solution that Jelte found copied.
10540 - and check first sig byte for the encoding type.
10543 - random port selection out of the configged ports.
10544 - fixup threadsafety for libevent-1.4.3+ (event_base_get_method).
10545 - removed base_port.
10546 - created 256-port ephemeral space for the OS, 59802 available.
10547 - fixup consistency of port_if out array during heavy use.
10550 - --with-libevent works with latest libevent 1.4.99-trunk.
10551 - added log file statistics perl script to contrib.
10552 - automatic iana ports update from makefile. 60058 available.
10555 - configure can detect libev(from its build directory) when passed
10556 --with-libevent=/home/wouter/libev-3.2
10557 libev-3.2 is a little faster than libevent-1.4.3-stable (about 5%).
10558 - unused commpoints not listed in epoll list.
10559 - statistics-cumulative option so that the values are not reset.
10560 - config creates array of available ports, 61841 available,
10565 - unbound tries to set the ulimit fds when started as server.
10569 - documented /dev/random symlink from chrootdir as FAQ entry.
10572 - implemented AD bit signaling. If a query sets AD bit (but not DO)
10575 path from the client to the resolver. Follows dnssec-updates draft.
10578 - implemented check that for NXDOMAIN and NOERROR answers a query
10586 - RTT banding. Band size 400 msec, this makes band around zero (fast)
10590 - -C config feature for harvest program.
10591 - harvest handles CNAMEs too.
10594 - patch from Hugo Koji Kobayashi for iterator logs spelling.
10597 - From report by Jinmei Tatuya, rfc2181 trust value for remainder
10599 - test for this fix.
10600 - default config file location is /usr/local/etc/unbound.
10605 - Create 0.10 svn tag.
10606 - 0.11 version in trunk.
10607 - indentation nicer.
10610 - documentation update.
10611 - fixup port to Solaris of perf test tool.
10612 - updated ldns-tarball with decl-after-statement fixes.
10615 - fixed memory leaks in libunbound (during cancellation and wait).
10616 - libunbound returns the answer packet in full.
10617 - snprintf compat update.
10618 - harvest performs lookup.
10619 - ldns-tarball update with fix for ldns_dname_label.
10620 - installs to sbin by default.
10621 - install all manual pages (unbound-host and libunbound too).
10624 - option to use caps for id randomness.
10625 - config file option use-caps-for-id: yes
10626 - harvest debug tool
10629 - delay utility delays TCP as well. If the server that is forwarded
10631 - delay does REUSE_ADDR, and can handle a server that closes its end.
10632 - answers use casing from query.
10635 - delay utility works. Gets decent thoughput too (>20000).
10638 - +2% for recursions, if identical queries (except for destination
10639 and query ID) in the reply list, avoid re-encoding the answer.
10640 - removed TODO items for optimizations that do not show up in
10642 - default is now minievent - not libevent. As its faster and
10644 - loop check different speedup pkt-dname-reading, 1% faster for
10645 nocache-recursion check.
10646 - less hashing during msg parse, 4% for recursion.
10647 - small speed fix for dname_count_size_labels, +1 or +2% recursion.
10648 - some speed results noted:
10656 - delay utility for testing.
10659 - speedup of root-delegation message encoding by 15%.
10660 - minor speedup of compress tree_lookup, maybe 1%.
10661 - speedup of dname_lab_cmp and memlowercmp - the top functions in
10665 - setup speec_cache for need-ldns-testns in dotests.
10666 - check number of queued replies on incoming queries to avoid overload
10668 - fptr whitelist checks are not disabled in optimize mode.
10669 - do-daemonize config file option.
10670 - minievent time share initializes time at start.
10671 - updated testdata for nsec3 new algorithm numbers (6, 7).
10672 - small performance test of packet encoding (root delegation).
10675 - applied patch to unbound-host man page from Jan-Piet Mens.
10676 - fix donotquery-localhost: yes default (it erroneously was switched
10678 - time is only gotten once and the value is shared across unbound.
10679 - unittest cleans up crypto, so that it has no memory leaks.
10680 - mini_event shares the time value with unbound this results in
10682 - ldns tarball update with new NSEC3 sign code numbers.
10683 - perform several reads per UDP operation. This improves performance
10686 - modified asynclook test. because the callback from async is not
10697 - patch to unbound-host from Jan-Piet Mens.
10698 - unbound host prints errors if fails to configure context.
10699 - fixup perf to resend faster, so that long waiting requests do
10703 - fixup iterator operating in no cache conditions (RD flag unset
10705 - streamlined code for RD flag setting.
10706 - profiled code and changed dname compares to be faster.
10708 - minievent tests for eintr and eagain.
10711 - added FreeBSD rc.d script to contrib.
10712 - --prefix option for configure also changes directory: pidfile:
10714 - added cache speed test, for cache size OK and cache too small.
10717 - start without a config file (will complain, but start with
10719 - perf test program works.
10722 - 0.9 released.
10723 - 1.0 development. Printout ldns version on unbound -h.
10724 - start of perf tool.
10725 - bugfix to read empty lines from /etc/hosts.
10728 - fixup problem with configure calling itself if ldns-src tarball
10732 - changed library to use ub_ instead of ub_val_ as prefix.
10733 - statistics output text nice.
10734 - etc/hosts handling.
10735 - library function to put logging to a stream.
10736 - set any option interface.
10739 - test program for multiple queries over a TCP channel.
10740 - tpkg test for stream tcp queries.
10741 - unbound replies to multiple TCP queries on a TCP channel.
10742 - fixup misclassification of root referral with NS in answer
10744 - tag 0.9
10745 - layout of manpages, spelling fix in header, manpages process by
10746 makedist, list asynclook and tcpstream tests as ldns-testns
10750 - moved up all current level 2 to be level 3. And 3 to 4.
10753 - verbosity level 2. Describes recursion and validation.
10754 - cleaner configure script and fixes for libevent solaris.
10755 - signedness for log output memory sizes in high verbosity.
10758 - clearer explanation of threading configure options.
10759 - fixup asynclook test for nothreading (it creates only one process
10761 - changed name of ub_val_result_free to ub_val_resolve_free.
10762 - removes warning message during library linking, renamed
10763 libunbound/unbound.c -> libunbound.c and worker to libworker.
10764 - fallback without EDNS if result is NOTIMPL as well as on FORMERR.
10767 - statistics-interval: seconds option added.
10768 - test for statistics option
10769 - ignore errors making directories, these can occur in parallel builds
10770 - fixup Makefile strip command and libunbound docs typo.
10773 - bg thread/process reads and writes the pipe nonblocking all the time
10778 - check trailing / on chrootdir in checkconf.
10779 - check if root hints and anchor files are in chrootdir.
10780 - no route to host tcp error is verbosity level 2.
10781 - removed unused send_reply_iov. and its configure check.
10782 - added prints of 'remote address is 1.2.3.4 port 53' to errors
10786 - fixup uninit use of buffer by libunbound (query id, flags) for
10788 - fixup uninit warning from random.c; also seems to fix sporadic
10790 - made openssl entropy warning more silent for library use. Needs
10792 - fixup forgotten locks for rbtree_searches on ctx->query tree.
10793 - random generator cleanup - RND_STATE_SIZE removed, and instead
10794 a super-rnd can be passed at init to chain init random states.
10795 - test also does lock checks if available.
10796 - protect config access in libworker_setup().
10797 - libevent doesn't like comm_base_exit outside of runloop.
10798 - close fds after removing commpoints only (for epoll, kqueue).
10801 - added tpkg for asynclook and library use.
10802 - allows localhost to be queried when as a library.
10803 - fixup race condition between cancel and answer (in case of
10805 - please doxygen, put doxygen comment in one place.
10806 - asynclook -b blocking mode and test.
10807 - refactor asynclook, nicer code.
10808 - fixup race problems from opensll in rand init from library, with
10810 - fix pass async_id=NULL to _async resolve().
10811 - rewrote _wait() routine, so that it is threadsafe.
10812 - cancelation is threadsafe.
10813 - asynclook extended test in tpkg.
10814 - fixed two races where forked bg process waits for (somehow shared?)
10819 - tested the cancel() function.
10820 - asynclook -c (cancel) feature.
10821 - fix fail to allocate context actions.
10822 - make pipe nonblocking at start.
10823 - update plane for retry mode with caution to limit bandwidth.
10824 - fix Makefile for concurrent make of unbound-host.
10825 - renamed ub_val_ctx_wait/poll/process/fd to ub_val*.
10826 - new calls to set forwarding added to header and docs.
10829 - removed debug prints from if-auto, verb-algo enables some.
10830 - libunbound QUIT setup, remove memory leaks, when using threads
10836 - library code for async in libunbound/unbound.c.
10837 - fix link testbound.
10838 - fixup exit bug in mini_event.
10839 - background worker query enter and result functions.
10840 - bg query test application asynclook, it looks up multiple
10844 - libworker work, netevent raw commpoints, write_msg, serialize.
10847 - touch up of manpage for libunbound.
10848 - support for IP_RECVDSTADDR (for *BSD ip4).
10849 - fix for BSD, do not use ip4to6 mapping, make two sockets, once
10851 - goodbye ip4to6 mapping.
10852 - update ldns-testpkts with latest version from ldns-trunk.
10853 - updated makedist for relative ldns pathnames.
10854 - library API with more information inside the result structure.
10855 - work on background resolves.
10858 - fixup configure in case -lldns is installed.
10859 - fixup a couple of doxygen warnings, about enum variables.
10860 - interface-automatic now copies the interface address from the
10862 - manual page with library API, all on one page 'man libunbound'.
10863 - rewrite of PKTINFO structure, it also captures IP4 PKTINFO.
10866 - incoming queries to the server with TC bit on are replied FORMERR.
10867 - interface-automatic replied the wrong source address on localhost
10869 to use ifnum=-1 to mean 'no interface, use kernel route'.
10872 - interface-automatic feature. experimental. Nice for anycast.
10873 - tpkg test for ip6 ancillary data.
10874 - removed debug prints.
10875 - porting experience, define for Solaris, test refined for BSD
10877 - makedist fixup for ldns-src in build-dir.
10880 - in no debug sets NDEBUG to remove asserts.
10881 - configure --enable-debug is needed for dependency generation
10883 - ldns.tgz updated with ldns-trunk (where buffer.h is updated).
10884 - fix lint, unit test in optimize mode.
10885 - default access control allows ::ffff:127.0.0.1 v6mapped localhost.
10888 - man page, warning removed.
10889 - added text describing the use of stub zones for private zones.
10890 - checkconf tests for bad hostnames (IP address), and for doubled
10892 - memory sizes can be given with 'k', 'Kb', or M or G appended.
10895 - typo in example.conf.
10896 - made using ldns-src that is included the package more portable
10898 - nicer do-ip6: yes/no documentation.
10899 - nicer linking of libevent .o files.
10900 - man pages render correctly on solaris.
10903 - fixup openssl RAND problem, when the system is not configured to
10907 - print median and quartiles with extensive logging.
10910 - document misconfiguration in private network.
10913 - fixup typo in requirements.
10914 - document that 'refused' is a better choice than 'drop' for
10918 - unbound-host has a -d option to show what happens. This can help
10920 - fixup CNAME handling, on nodata, sets and display canonname.
10921 - dot removed from CNAME display.
10922 - respect -v for NXDOMAINs.
10923 - updated ldns-src.tar.gz with ldns-trunk today (1.2.2 fixes).
10924 - size_t to int for portability of the header file.
10925 - fixup bogus handling.
10926 - dependencies and lint for unbound-host.
10929 - library resolution works in foreground mode, unbound-host app
10931 - unbound-host prints rdata using ldns.
10932 - unbound-host accepts trust anchors, and prints validation
10933 information when you give -v.
10936 - locking in context_new() inside the function.
10937 - setup of libworker.
10940 - minor Makefile fixup.
10941 - moved module-stack code out of daemon/daemon into services/modstack,
10942 preparing for code-reuse.
10943 - move context into own header file.
10944 - context query structure.
10945 - removed unused variable pwd from checkconf.
10946 - removed unused assignment from outside netw.
10947 - check timeval length of string.
10948 - fixup error in val_utils getsigner.
10949 - fixup same (*var) error in netblocktostr.
10950 - fixup memleak on parse error in localzone.
10951 - fixup memleak on packet parse error.
10952 - put ; after union in parser.y.
10953 - small hardening in iter_operate against iq==NULL.
10954 - hardening, if error reply with rcode=0 (noerror) send servfail.
10955 - fixup same (*var) error in find_rrset in msgparse, was harmless.
10956 - check return value of evtimer_add().
10957 - fixup lockorder in lruhash_reclaim(), building up a list of locked
10959 - fptr_wlist for markdelfunc.
10960 - removed is_locked param from lruhash delkeyfunc.
10961 - moved bin_unlock during bin_split purely to please.
10964 - changed checkconf/ to smallapp/ to make room for more support tools.
10965 (such as unbound-host).
10966 - install dirs created with -m 755 because they need to be accessible.
10967 - library extensive featurelist added to TODO.
10968 - please doxygen, lint.
10969 - library test application, with basic functionality.
10970 - fix for building in a subdirectory.
10971 - link lib fix for Leopard.
10974 - makefile that creates libunbound.la, basic file or libunbound.a
10976 - more API setup.
10979 - 0.9 public API start.
10982 - Changeup plan for 0.8 - no complication needed, a simple solution
10984 - you can use single quotes in the config file, so it is possible
10986 - fixup small memory problem in implicit transparent zone creation.
10987 - test for implicit zone creation and multiple RR RRsets local data.
10988 - local-zone nodefault test.
10989 - show testbound testlist on commit.
10990 - iterator normalizer changes CNAME chains ending in NXDOMAIN where
10993 - nicer verbosity: 0 and 1 levels.
10994 - lower nonRDquery chance of eliciting wrongly typed validation
10996 - fix for nonRDquery validation typing; nodata is detected when
10997 SOA record in auth section (all validation-requiring nodata messages
11000 - duplicate checking when adding NSECs for a CNAME, and test.
11001 - created svn tag 0.8, after completing testbed tests.
11004 - per suggestion in rfc2308, replaced default max-ttl value with 1 day.
11005 - set size of msgparse lookup table to 32, from 1024, so that its size
11008 - update of memstats tool to print number of allocation calls.
11013 - noted EDNS in-the-middle dropping trouble as a TODO.
11015 - added all default AS112 zones.
11016 - answers from local zone content.
11020 * empty-nonterminal answer.
11023 - test for correct working of static and transparent and couple
11026 - fixup implicit zone generation and AA bit for NXDOMAIN on localdata.
11029 - local zone internal data setup.
11032 - 0.8 - str2list config support for double string config options.
11033 - local-zone and local-data options, config storage and documentation.
11036 - do not downcase NSEC and RRSIG for verification. Follows
11037 draft-ietf-dnsext-dnssec-bis-updates-06.txt.
11038 - fixup leaking unbound daemons at end of tests.
11039 - README file updated.
11040 - nice libevent not found error.
11041 - README talks about gnu make.
11042 - 0.8: unit test for addr_mask and fixups for it.
11044 - 0.8: access-control config file element.
11046 - 0.8: fixup address reporting from netevent.
11049 - privilege separation is not needed in unbound at this time.
11051 - created beta-0.7 branch for support.
11052 - tagged 0.7 for beta release.
11053 - moved trunk to 0.8 for 0.8(auth features) development.
11054 - 0.8: access control list setup.
11057 - review fixups from Jelte.
11060 - testbed script does not recreate configure, since its in svn now.
11061 - fixup checkconf test so that it does not test
11062 /etc/unbound/unbound.conf.
11063 - tag 0.6.
11066 - remove debug print.
11067 - fixup testbound exit when LIBEVENT_SIGNAL_PROBLEM exists.
11070 - fixup signal handling where SIGTERM could be ignored if a SIGHUP
11072 - bugreports to unbound-bugs@nlnetlabs.nl
11073 - fixup testbound so it exits cleanly.
11074 - cleanup the caches on a reload, so that rrsetID numbers won't clash.
11077 - took ldns snapshot in repo.
11078 - default config file is /etc/unbound/unbound.conf.
11079 If it doesn't exist, it is installed with the doc/example.conf file.
11081 - default listening is not all, but localhost interfaces.
11084 - Fixup chroot and drop user privileges.
11085 - new L root ip address in default hints.
11088 - Fixup of crash on reload, due to anchors in env not NULLed after
11090 - Fixup of chroot call. Happens after privileges are dropped, so
11092 - minor touch up of clear() hashtable function.
11093 - VERB_DETAIL prints out what chdir, username, chroot is being done.
11094 - when id numbers run out, caches are cleared, as in design notes.
11096 - harden-dnssec-stripped: yes is now default. It insists on dnssec
11100 - cache-max-ttl config option.
11101 - building outside sourcedir works again.
11102 - defaults more secure:
11106 - fix horrible oversight in sorting rrset references in a message,
11108 - pidfile: "/etc/unbound/unbound.pid" is now the default.
11109 - tests changed to reflect the updated default.
11110 - created hashtable clear() function that respects locks.
11113 - fixup assertion failure that relied on compressed names to be
11116 - quieter logging at low verbosity level for common tcp messages.
11117 - no greedy TTL update.
11120 - fixup (grand-)parent problem for dnssec-lameness detection.
11121 - fixup tests to do additional section processing for lame replies,
11123 - no longer trust in query section in reply during dnssec lame detect.
11124 - dnssec lameness does not make the server never ever queried, but
11125 non-preferred. If no other servers exist or answer, the dnssec lame
11127 - added test then when trust anchor cannot be primed (nodata), the
11129 - Fixup max queries per thread, any more are dropped.
11132 - added donotquerylocalhost config option. Can be turned off for
11134 - ISO C compat changes.
11135 - detect RA-no-AA lameness, as LAME.
11136 - DNSSEC-lameness detection, as LAME.
11138 - tests for lameness detection.
11139 - added all to make test target; need unbound for fwd tests.
11140 - testbound does not pollute /etc/unbound.
11143 - added configure (and its files) to svn, so that the trunk is easier
11146 - added yacc/lex generated files, util/configlexer.c,
11148 - without lex no attempt to use it.
11149 - unsecure response validation collated into one block.
11150 - remove warning about const cast of cfgfile name.
11151 - outgoing-interfaces can be different from service interfaces.
11152 - ldns-src configure is done during unbound configure and
11153 ldns-src make is done during unbound make, and so inherits the
11155 - nicer error when libevent problem causes instant exit on signal.
11156 - read root hints from a root hint file (like BIND does).
11159 - addresses are logged with errors.
11160 - fixup testcode fake event to remove pending before callback
11162 - tests updated because retries are now in iterator module.
11163 - ldns-testpkts code is checked for differences between unbound
11165 - ldns trunk from today added in svn repo for fallback in case
11168 - ldns-src.tar.gz is used if no ldns is found on the system, and
11170 - start of regional allocator code.
11171 - regional uses less memory and variables, simplified code.
11172 - remove of region-allocator.
11173 - alloc cache keeps a cache of recently released regional blocks,
11175 - make unit test cleanly free memory.
11178 - fixup another cycle detect and ns-addr timeout resolution bug.
11180 when resolving a mandatory-glue nameserver-address for that zone.
11184 - changed random generator from random(3) clone to arc4random wrapped
11187 - fix crash where failure to prime DNSKEY tried to print null pointer
11189 - removed some debug prints, only verb_algo (4) enables them.
11190 - fixup test; new random generator took new paths; such as one
11192 - mark insecure RRs as insecure.
11193 - fixup removal of nonsecure items from the additional.
11194 - reduced timeout values to more realistic, 376 msec (262 msec has
11196 - server selection failover to next server after timeout (376 msec).
11199 - no malloc in log_hex.
11200 - assertions around system calls.
11201 - protect against gethostname without ending zero.
11202 - ntop output is null terminated by unbound.
11203 - pidfile content null termination
11204 - various snprintf use sizeof(stringbuf) instead of fixed constant.
11205 - changed loopdetect % 8 with & 0x7 since % can become negative for
11207 - dname_pkt_copy checks length of result, to protect result buffers.
11210 - remove a size_t underflow from msgreply size func.
11213 - nicer warning.
11214 - fix IP6 TCP, wrong definition check. With test package.
11215 - fixup the fact that the query section was not compressed to,
11218 - more portable ip6 check for sockaddr types.
11221 - --disable-rpath option in configure for 64bit systems with
11225 - fixup tests for no AD bit in non-DO queries.
11226 - test that makes sure AD bit is not set on non-DO query.
11229 - removed logfile open early. It did not have the proper permissions;
11232 - callback checks for event callbacks done from mini_event. Because
11234 libevent the protection does not work on event-callbacks.
11235 - fixup too small reply (did not zero counts).
11236 - fixup reply no longer AD bit when query without DO bit.
11239 - function pointer whitelist.
11242 - overwrite sensitive random seed value after use.
11243 - switch to logfile very soon if not -d (console attached).
11244 - error messages do not reveal the trustanchor contents.
11245 - start work on function pointer whitelists.
11248 - fix for multiple empty nonterminals, after multiple DSes in the
11250 - mesh checks if modules are looping, and stops them.
11251 - refetch with CNAMEd nameserver address regression test added.
11252 - fixup line count bug in testcode, so testbound prints correct line
11254 - unit test for multiple ENT case.
11255 - fix for cname out of validated unsec zone.
11256 - fixup nasty id=0 reuse. Also added assertions to detect its
11260 - skip F77, CXX, objC tests in configure step.
11261 - fixup crash in refetch glue after a CNAME.
11265 - test case for unbound-checkconf, fixed so it also checks the
11269 - SIGHUP will reopen the log file.
11270 - Option to log to syslog.
11271 - please lint, fixup tests (that went to syslog on open, oops).
11272 - config check program.
11275 - tests for NSEC3. Fixup bitmap checks for NSEC3.
11276 - positive ANY response needs to check if wildcard expansion, and
11278 - tests for NSEC3 that wrong use of OPTOUT is bad. For insecure
11280 - create 0.5 release tag.
11283 - do not make test programs by default.
11284 - But 'make test' will perform all of the tests.
11285 - Advertise builtin select libevent alternative when no libevent
11287 - signit can generate NSEC3 hashes, for generating tests.
11288 - multiple nsec3 parameters in message test.
11289 - too high nsec3 iterations becomes insecure test.
11292 - fixup empty_DS_name allocated in wrong region (port DEC Alpha).
11293 - fixup testcode lock safety (port FreeBSD).
11294 - removes subscript has type char warnings (port Solaris 9).
11295 - fixup of field with format type to int (port MacOS/X intel).
11296 - added test for infinite loop case in nonRD answer validation.
11300 proof is possible - the signature has been stripped off.
11303 - fixup and test for NSEC wildcard with empty nonterminals.
11304 - makedist.sh fixup for svn info.
11305 - acl features request in plan.
11306 - improved DS empty nonterminal handling.
11307 - compat with ANS nxdomain for empty nonterminals. Attempts the nodata
11309 - striplab protection in case it becomes -1.
11310 - plans for static and blacklist config.
11313 - comments about non-packed usage.
11314 - plan for overload support in 0.6.
11315 - added testbound tests for a failed resolution from the logs
11317 - fixup so useless delegation points are not returned from the
11319 - fixup NSEC rdata not to be lowercased, bind compat.
11322 - wildcard nsec3 testcases, and fixup to get correct wildcard name.
11323 - validator prints subtype classification for debug.
11326 - NSEC3 hash cache unit test.
11327 - validator nsec3 nameerror test.
11330 - nsec3 nodata proof, nods proof, wildcard proof.
11331 - nsec3 support for cname chain ending in noerror or nodata.
11332 - validator calls nsec3 proof routines if no NSECs prove anything.
11333 - fixup iterator bug where it stored the answer to a cname under
11338 - nsec3 find matching and covering, ce proof, prove namerror msg.
11341 - fixup of manual page warnings, like for NSD bugreport.
11342 - nsec3 work, config, max iterations, filter, and hash cache.
11345 - fixup to find libevent on mac port install.
11346 - fixup size_t vs unsigned portability in validator/sigcrypt.
11347 - please compiler on different platforms, for unreachable code.
11348 - val_nsec3 file.
11349 - pthread_rwlock type is optional, in case of old pthread libs.
11352 - cname, name error validator tests.
11353 - logging of qtype ANY works.
11354 - ANY type answers get RRSIG in answer section of replies (but not
11356 - testbound can replay a TCP query (set MATCH TCP in the QUERY).
11357 - DS and noDS referral validation test.
11358 - if you configure many trust anchors, parent trust anchors can
11360 - not all *.name NSECs are present because a wildcard was matched,
11365 - configure option for memory allocation debugging.
11366 - port configure option for memory allocation to solaris10.
11369 - fixup of Leakage warning when serviced queries processed multiple
11371 - testbound removes config file from /tmp on failed exit.
11372 - fixup for referral cleanup of the additional section.
11373 - tests for cname, referral validation.
11374 - neater testbound tpkg output.
11375 - DNAMEs no longer match their apex when synthesized from the cache.
11376 - find correct signer name for DNAME responses.
11377 - wildcarded DNAME test and fixup code to detect.
11378 - prepend NSEC and NSEC3 rrsets in the iterator while chasing CNAMEs.
11380 - test for a CNAME to a DNAME to a CNAME to an answer, all from
11385 - Fixed error in iterator that would cause assertion failure in
11389 - timeout on tcp does not lead to spurious leakage detect.
11390 - account memory for name of lame zones, so that memory leakages does
11392 - config setting for lameness cache expressed in bytes, instead of
11394 - tool too summarize allocations per code line.
11397 - can read bind trusted-keys { ... }; files, in a compatibility mode.
11398 - iterator should not detach target queries that it still could need.
11401 - validator nodata, positive, referral tests.
11402 - dname print can print '*' wildcard.
11405 - fixup override date config option.
11406 - config options to control memory usage.
11407 - caught bad free of un-alloced data in worker_send error case.
11408 - memory accounting for key cache (trust anchors and temporary cache).
11409 - memory accounting fixup for outside network tcp pending waits.
11410 - memory accounting fixup for outside network tcp callbacks.
11411 - memory accounting for iterator fixed storage.
11412 - key cache size and slabs config options.
11413 - lib crypto cleanups at exit.
11416 - test tool to sign rrsets for testing validator with.
11417 - added RSA and DSA test keys, public and private pairs, 512 bits.
11418 - default configuration is with validation enabled.
11419 Only a trust-anchor needs to be configured for DNSSEC to work.
11420 - do not convert to DER for DSA signature verification.
11421 - validator replay test file, for a DS to DNSKEY DSA key prime and
11425 - removed double use for udp buffers, that could fail,
11427 - validator validates referral messages, by validating all the rrsets
11431 - enforce that signing is done by a parent domain (or same domain).
11432 - adjust TTL downwards if rrset TTL bigger than signature allows.
11433 - permissive mode feature, sets AD bit for secure, but bogus does
11435 - optimization of rrset verification. rr canonical sorting is reused,
11438 - if the rrset is too big (64k exactly + large owner name) the
11440 - faster verification for large sigsets.
11441 - verb_detail mode reports validation failures, but not the entire
11446 - do not garble the edns if a cache answer fails.
11447 - answer norecursive from cache if possible.
11448 - honor clean_additional setting when returning secure non-recursive
11450 - do not store referral in msg cache for nonRD queries.
11451 - store verification status in the rrset cache to speed up future
11453 - mark rrsets indeterminate and insecure if they are found to be so.
11457 - message is bogus if unsecure authority rrsets are present.
11458 - val-clean-additional option, so you can turn it off.
11459 - move rrset verification out of the specific proof types into one
11461 - fixup cname handling in validator, cname-to-positive and cname-to-
11463 - Do not synthesize DNSKEY and DS responses from the rrset cache if
11466 - more verbose signature date errors (with the date attached).
11467 - increased default infrastructure cache size. It is important for
11472 - CNAME handling - move needs_validation to before val_new().
11473 val_new() setups the chase-reply to be an edited copy of the msg.
11477 - refuse to follow wildcarded DNAMEs when validating.
11481 - bogus TTL.
11482 - review - use val_error().
11485 - ANY response validation.
11486 - store security status in cache.
11487 - check cache security status and either send the query to be
11490 - do not examine security status on an error reply in mesh_done.
11491 - construct DS, DNSKEY messages from rrset cache.
11492 - manual page entry for override-date.
11495 - validate and positive validation, positive wildcard NSEC validation.
11496 - nodata validation, nxdomain validation.
11499 - process DNSKEY response in FINDKEY state.
11502 - work on DS2KE routine.
11503 - val_nsec.c for validator NSEC proofs.
11504 - unit test for NSEC bitmap reading.
11505 - dname iswild and canonical_compare with unit tests.
11508 - DS sig unit test.
11509 - latest release libevent 1.3c and 1.3d have threading fixed.
11510 - key entry fixup data pointer and ttl absolute.
11511 - This makes a key-prime succeed in validator, with DS or DNSKEY as
11512 trust-anchor.
11513 - fixup canonical compare byfield routine, fix bug and also neater.
11514 - fixed iterator response type classification for queries of type
11519 - validator FINDKEY state.
11522 - crypto calls to verify signatures.
11523 - unit test for rrsig verification.
11526 - default outgoing ports changed to avoid port 2049 by default.
11528 - count infra lameness cache in memory size.
11529 - accounting of memory improved
11530 - outbound entries are allocated in the query region they are for.
11531 - extensive debugging for memory allocations.
11532 - --enable-lock-checks can be used to enable lock checking.
11533 - protect undefs in config.h from autoheaders ministrations.
11534 - print all received udp packets. log hex will print on multiple
11536 - fixed error in parser with backwards rrsig references.
11537 - mark cycle targets for iterator did not have CD flag so failed
11541 - fixup makefile, if lexer is missing give nice error and do not
11543 - canonical compare routine updated.
11544 - canonical hinfo compare.
11545 - printout list of the queries that the mesh is working on.
11548 - malloc and free overrides that track total allocation and frees.
11550 - work on canonical sort.
11553 - canonicalization, signature checks
11554 - dname signature label count and unit test.
11555 - added debug heap size print to memory printout.
11556 - typo fixup in worker.c
11557 - -R needed on solaris.
11558 - validator override option for date check testing.
11561 - ldns _raw routines created (in ldns trunk).
11562 - sigcrypt DS digest routines
11563 - val_utils uses sigcrypt to perform signature cryptography.
11564 - sigcrypt keyset processing
11567 - security status type.
11568 - security status is copied when rdata is equal for rrsets.
11569 - rrset id is updated to invalidate all the message cache entries
11571 - val_util work
11572 - val_sigcrypt file for validator signature checks.
11575 - key cache for validator.
11576 - moved isroot and dellabel to own dname routines, with unit test.
11579 - replanning.
11580 - scrubber check section of lame NS set.
11581 - trust anchors can be in config file or read from zone file,
11583 - unit test trust anchor storage.
11584 - trust anchors converted to packed rrsets.
11585 - key entry definition.
11588 - configure change for latest libevent trunk version (needs -lrt).
11589 - query_done and walk_supers are moved out of module interface.
11590 - fixup delegation point duplicates.
11591 - fixup iterator scrubber; lame NS set is let through the scrubber
11593 - validator module exists, and does nothing but pass through,
11595 - validator work.
11598 - set version to 0.5
11599 - module work for module to module interconnections.
11600 - config of modules.
11601 - detect cycle takes flags.
11604 - updated plan
11605 - release 0.4 tag.
11608 - changed random state init, so that sequential process IDs are not
11609 cancelled out by sequential thread-ids in the random number seed.
11610 - the fwd_three test, which sends three queries to unbound, and
11611 unbound is kept waiting by ldns-testns for 3 seconds, failed
11617 - removed useless -C debug option. It did not work.
11618 - text edit of documentation.
11619 - added doc/CREDITS file, referred to by the manpages.
11620 - updated planning.
11623 - cycle detection, for query state dependencies. Will attempt to
11625 - unit test for AXFR, IXFR response.
11626 - test for cycle detection.
11629 - testbound read ADDRESS and check it.
11630 - test for version.bind and friends.
11631 - test for iterator chaining through several referrals.
11632 - test and fixup for refetch for glue. Refetch fails if glue
11636 - Example section in config manual.
11637 - Addr stored for range and moment in replay.
11640 - Check CNAME chain before returning cache entry with CNAMEs.
11641 - Option harden-glue, default is on. It will discard out of zone
11646 - if glue times out, refetch by asking parent of delegation again.
11648 - TODO items from forgery-resilience draft.
11650 - renamed module_event_timeout to module_event_noreply.
11651 - memory reporting code; reports on memory usage after handling
11655 - shuffle NS selection when getting nameserver target addresses.
11656 - fixup of deadlock warnings, yield cpu in checklock code so that
11658 - added identity and version config options and replies.
11659 - store cname messages complete answers.
11662 - do not query addresses, 127.0.0.1, and ::1 by default.
11665 - forward zone options in config file.
11666 - forward per zone in iterator. takes precedence over stubs.
11667 - fixup commithooks.
11668 - removed forward-to and forward-to-port features, subsumed by
11670 - fix parser to handle absent server: clause.
11671 - change untrusted rrset test to account for scrubber that is now
11673 - feature, addresses can be specified with @portnumber, like nsd.conf.
11674 - test config files changed over to new forwarder syntax.
11677 - delete of mesh does a postorder traverse of the tree.
11678 - found and fixed a memory leak. For TTL=0 messages, that would
11679 not be cached, instead the msg-replyinfo structure was leaked.
11680 - changed server selection so it will filter out hosts that are
11683 The rto value will time out after host-ttl seconds from the cache.
11685 - utility for keeping histogram.
11688 - mesh is called by worker, and iterator uses it.
11691 - forwarder mode no longer sets AA bit on first reply.
11692 - rcode in walk_supers is not needed.
11695 - more mesh work.
11696 - error encode routine for ease.
11699 - removed unused _node iterator value from rbtree_t. Takes up space.
11700 - iterator can handle querytargets state without a delegation point
11702 - iterator stores if it is priming or not.
11703 - log_query_info() neater logging.
11704 - changed iterator so that it does not alter module_qstate.qinfo
11707 - fixup crash in case no ports for the family exist.
11710 - Fixup secondary buffer in case of error callback.
11711 - cleanup slumber list of runnable states.
11712 - module_subreq_depth fails to work in slumber list.
11713 - fixup query release for cached results to sub targets.
11714 - neater error for tcp connection failure, shows addr in verbose.
11715 - rbtree_init so that it can be used with preallocated memory.
11718 - new -C option to enable coredumps after forking away.
11719 - doc update.
11720 - fixup CNAME generation by scrubber, and memory allocation of it.
11721 - fixup deletion of serviced queries when all callbacks delete too.
11722 - set num target queries to 0 when you move them to slumber list.
11723 - typo in check caused subquery errors to be ignored, fixed.
11724 - make lint happy about rlim_t.
11725 - freeup of modules after freeup of module-states.
11726 - duplicate replies work, this uses secondary udp buffer in outnet.
11729 - nicer layout in stats.c, review 0.3 change.
11730 - spelling improvement, review 0.3 change.
11731 - uncapped timeout for server selection, so that very fast or slow
11733 - target-fetch-policy: "3 2 1 0 0" config setting.
11734 - fixup queries answered without RD bit (for root prime results).
11735 - refuse AXFR and IXFR requests.
11736 - fixup RD flag in error reply from iterator. fixup RA flag from
11738 - fixup encoding of very short edns buffer sizes, now sets TC bit.
11739 - config options harden-short-bufsize and harden-large-queries.
11742 - same, move subqueries to slumber list when first has resolved.
11743 - fixup last fix for duplicate callbacks.
11744 - another offbyone in targetcounter. Also in Java prototype by the way.
11747 - if a query asks to be notified of the same serviced query result
11749 multiple outbound-list entries result (but the double cleanup of it
11751 - when iterator moves on due to CNAME or referral, it will remove
11754 - state module wait subq is OK with no new subqs, an old one may have
11756 - if a query loops, halt entire query (easy way to clean up properly).
11759 - num query targets was > 0 , not >= 0 compared, so that fetch
11763 - debug option: configure --enable-static-exe for compile where
11765 - make install and make uninstall. Works with static-exe and without.
11767 - alignment problem fix on solaris 64.
11768 - fixup address in case of TCP error.
11771 - num target queries was set to 0 at a bad time. Default it to 0 and
11773 - synthesize CNAME and DNAME responses from the cache.
11774 - Updated doxygen config for doxygen 1.5.
11775 - aclocal newer version.
11776 - doxygen 1.5 fixes for comments (for the strict check on docs).
11779 - replies on TCP queries have the address field set in replyinfo,
11782 - omit DNSSEC types from nonDO replies, except if qtype is ANY or
11785 - fixed message parsing where rrsigs on their own would be put
11789 - fixup error in double linked list insertion for subqueries and
11791 - nicer printout of outgoing port selection.
11792 - fixup cname target readout.
11793 - nicer debug output.
11794 - fixup rrset counts when prepending CNAMEs to the answer.
11795 - fixup rrset TTL for prepended CNAMEs.
11796 - process better check for looping modules, and which submodule to
11798 - subreq insertion code fixup for slumber list.
11799 - VERB_DETAIL, verbosity: 2 level gives short but readable output.
11801 - fixup RA bit in cached replies.
11802 - fixup CNAME responses from the cache no longer partial response.
11803 - error in network send handled without leakage.
11804 - enable ip6 from config, and try ip6 addresses if available,
11808 - iterator state finished.
11809 - subrequests without parent store in cache and stop.
11810 - worker slumber list for ongoing promiscuous queries.
11811 - subrequest error handling.
11812 - priming failure returns SERVFAIL.
11813 - priming gives LAME result, returns SERVFAIL.
11814 - debug routine to print dns_msg as handled by iterator.
11815 - memleak in config file stubs fixup.
11816 - more small bugs, in scrubber, query compare no ID for lookup,
11818 - sets entry.key for new special allocs.
11819 - lognametypeclass can display unknown types and classes.
11822 - random selection of equally preferred nameserver targets.
11823 - reply info copy routine. Reuses existing code.
11824 - cache lameness in response handling.
11825 - do not touch qstate after worker_process_query because it may have
11827 - Prime response state.
11828 - Process target response state.
11829 - some memcmp changed to dname_compare for case preservation.
11832 - normalize incoming messages. Like unbound-java, with CNAME chain
11834 - sanitize incoming messages.
11835 - split msgreply encode functions into own file msgencode.c.
11836 - msg_parse to queryinfo/replyinfo conversion more versatile.
11837 - process_response, classify response, delegpt_from_message.
11840 - querytargets state.
11841 - dname_subdomain_c() routine.
11842 - server selection, based on RTT. ip6 is filtered out if not available,
11844 - delegation point copy routine.
11847 - removed FLAG_CD from message and rrset caches. This was useful for
11850 - iterator response typing.
11851 - iterator cname handle.
11852 - iterator prime start.
11853 - subquery work.
11854 - processInitRequest and processInitRequest2.
11855 - cache synthesizes referral messages, with DS and NSEC.
11856 - processInitRequest3.
11857 - if a request creates multiple subrequests these are all activated.
11860 - routines to lock and unlock array of rrsets moved to cache/rrset.
11861 - lookup message from msg cache (and copy to region).
11862 - fixed cast error in dns msg lookup.
11863 - message with duplicate rrset does not increase its TTLs twice.
11864 - 'qnamesize' changed to 'qname_len' for similar naming scheme.
11867 - Acknowledge use of unbound-java code in iterator. Nicer readme.
11868 - services/cache/dns.c DNS Cache. Hybrid cache uses msgcache and
11870 - packed rrset key has type and class as easily accessible struct
11872 - dns cache find_delegation routine.
11873 - iterator main functions setup.
11874 - dns cache lookup setup.
11877 - small changes to prepare for subqueries.
11878 - iterator forwarder feature separated out.
11879 - iterator hints stub code, config file stub code, so that first
11881 - replay tests now have config option to enable forwarding mode.
11884 - outside network does precise timers for roundtrip estimates for rtt
11886 - cleaner iterator sockaddr conversion of forwarder address.
11887 - iterator/iter_utils and iter_delegpt setup.
11888 - root hints.
11891 - outbound query list for modules and support to callback with the
11893 - testbound support for new serviced queries.
11894 - test for retry to TCP cannot use testbound any longer.
11895 - testns test for EDNS fallback, test for TCP fallback already exists.
11896 - fixes for no-locking compile.
11897 - mini_event timer precision and fix for change in timeouts during
11901 - small comment on hash table locking.
11902 - outside network serviced queries, contain edns and tcp fallback,
11906 - lruhash_touch() would cause locking order problems. Fixup in
11907 lock-verify in case locking cycle is found.
11908 - services/cache/rrset.c for rrset cache code.
11909 - special rrset_cache LRU updating function that uses the rrset id.
11910 - no dependencies calculation when make clean is called.
11911 - config settings for infra cache.
11912 - daemon code slightly cleaner, only creates caches once.
11915 - host cache code.
11916 - unit test for host cache.
11919 - Port to OS/X and Dec Alpha. Printf format and alignment fixes.
11920 - extensive lock debug report on join timeout.
11921 - proper RTT calculation, in utility code.
11922 - setup of services/cache/infra, host cache.
11925 - iterator/iterator.c module.
11926 - fixup to pass reply_info in testcode and in netevent.
11929 - created release-0.3 svn tag.
11930 - util/module.h
11931 - fixed compression - no longer compresses root name.
11934 - outside network cleans up waiting tcp queries on exit.
11935 - fallback to TCP.
11936 - testbound replay with retry in TCP mode.
11937 - tpkg test for retry in TCP mode, against ldns-testns server.
11938 - daemon checks max number of open files and complains if not enough.
11939 - test where data expires in the cache.
11940 - compiletests: fixed empty body ifstatements in alloc.c, in case
11944 - outgoing network keeps list of available tcp buffers for outgoing
11946 - outgoing-num-tcp config option.
11947 - outgoing network keeps waiting list of queries waiting for buffer.
11948 - netevent supports outgoing tcp commpoints, nonblocking connects.
11951 - EDNS read from query, used to make reply smaller.
11952 - advertised edns value constants.
11953 - EDNS BADVERS response, if asked for too high edns version.
11954 - EDNS extended error responses once the EDNS record from the query
11958 - msgreply sizefunc is more accurate.
11959 - config settings for rrset cache size and slabs.
11960 - hashtable insert takes argument so that a thread can use its own
11962 - alloc cache special_release() locks if necessary.
11963 - rrset trustworthiness type added.
11964 - thread keeps a scratchpad region for handling messages.
11965 - writev used in netevent to write tcp length and data after another.
11967 - test for one rrset updated in the cache.
11968 - test for one rrset which is not updated, as it is not deemed
11970 - test for TTL refreshed in rrset.
11973 - fill refs. Use new parse and encode to answer queries.
11974 - stores rrsets in cache.
11975 - uses new msgreply format in cache.
11978 - dname unit tests in own file and spread out neatly in functions.
11979 - more dname unit tests.
11980 - message encoding creates truncated TC flagged messages if they do
11984 - decompress query section, extremely lenient acceptance.
11986 - compression and decompression test cases.
11987 - some stats added.
11988 - example.conf interface: line is changed from 127.0.0.1 which leads
11993 - removed iov usage, it is not good for dns message encoding.
11994 - owner name compression more optimal.
11995 - rrsig owner name compression.
11996 - rdata domain name compression.
11999 - floating point exception fix in lock-verify.
12000 - lint uses make dependency
12001 - fixup lint in dname owner domain name compression code.
12002 - define for offset range that can be compressed to.
12005 - prettier code; parse_rrset->type kept in host byte order.
12006 - datatype used for hashvalue of converted rrsig structure.
12007 - unit test compares edns section data too.
12010 - ttl per RR, for RRSIG rrsets and others.
12011 - dname_print debug function.
12012 - if type is not known, size calc will skip DNAME decompression.
12013 - RRSIG parsing and storing and putting in messages.
12014 - dnssec enabled unit tests (from nlnetlabs.nl and se queries).
12015 - EDNS extraction routine.
12018 - code comes through all of the unit tests now.
12019 - disabled warning about spurious extra data.
12020 - documented the RRSIG parse plan in msgparse.h.
12021 - rrsig reading and outputting.
12024 - fix unit test to actually to tests.
12025 - fix write iov helper, and fakevent code.
12026 - extra builtin testcase (small packet).
12027 - ttl converted to network format in packets.
12028 - flags converted correctly
12029 - rdatalen off by 2 error fixup.
12030 - uses less iov space for header.
12033 - review of msgparse code.
12034 - smaller test cases.
12037 - copy and decompress dnames.
12038 - store calculated hash value too.
12039 - routine to create message out of stored information.
12040 - util/data/msgparse.c for message parsing code.
12041 - unit test, and first fixes because of test.
12045 - test from file and fixes
12051 - following a small change in LDNS, parsing code calculates the
12053 - code to handle ID creation.
12056 - parse routines. Code that parses rrsets, rrs.
12059 - dname compare routine that preserves case, with unit tests.
12062 - parse work - dname packet parse, msgparse, querysection parse,
12066 - Improved alignment of reply_info packet, nice for 32 and 64 bit.
12067 - Put RRset counts in reply_info, because the number of RRs can change
12069 - import of region-allocator code from nsd.
12070 - set alloc special type to ub_packed_rrset_key.
12072 - doxygen documentation for region-allocator.
12073 - setup for parse scratch data.
12076 - discussed packed rrset with Jelte.
12079 - moved to version 0.3.
12080 - added util/data/dname.c
12081 - layout of memory for rrsets.
12084 - detect sign of msghdr.msg_iovlen so that the cast to that type
12088 - constants for DNS flags.
12089 - compilation without locks fixup.
12090 - removed include of unportable header from lookup3.c.
12091 - more portable use of struct msghdr.
12092 - casts for printf warning portability.
12093 - tweaks to tests to port them to the testbed.
12094 - 0.2 tag created.
12097 - check sizes of udp received messages, not too short.
12098 - review changes. Some memmoves can be memcpys: 4byte aligned.
12100 - review changes msgreply.c, memleak on error condition. AA flag
12106 - writev or sendmsg used when answering from cache.
12108 - do not do useless byteswap on query id. Store reply flags in uint16
12110 - reviewed code.
12111 - configure detects and config.h includes sys/uio.h for writev decl.
12114 - new config option: num-queries-per-thread.
12115 - added tpkg test for answering three queries at the same time
12119 - added test for cache and not cached answers, in testbound replays.
12120 - testbound can give config file and commandline options from the
12122 - created test that checks if items drop out of the cache.
12123 - added word 'partitioned hash table' to documentation on slab hash.
12125 - worker can handle multiple queries at a time.
12128 - config settings for slab hash message cache.
12129 - test for cached answer.
12130 - Fixup deleting fake answer from testbound list.
12133 - review of yesterday's commits.
12134 - covered up memory leak of the entry locks.
12135 - answers from the cache correctly. Copies flags correctly.
12136 - sanity check for incoming query replies.
12137 - slabbed hash table. Much nicer contention, need dual cpu to see.
12140 - AIX configure check.
12141 - lock-verify can handle references to locks that are created
12143 - threaded hash table test.
12144 - unit test runs lock-verify afterwards and checks result.
12145 - need writelock to update data on hash_insert.
12146 - message cache code, msgreply code.
12149 - unit test of hash table, fixup locking problem in table_grow().
12150 - fixup accounting of sizes for removing items from hashtable.
12151 - unit test for hash table, single threaded test of integrity.
12152 - lock-verify reports errors nicely. More quiet in operation.
12155 - lock-verifier, checks consistent order of locking.
12158 - hash table insert (and subroutines) and lookup implemented.
12159 - hash table remove.
12160 - unit tests for hash internal bin, lru functions.
12163 - lock_unprotect in checklocks.
12164 - util/storage/lruhash.h for LRU hash table structure.
12167 - configure.ac moved to 0.2.
12168 - query_info and replymsg util/data structure.
12171 - added rwlock writelock checking.
12174 - log_hex function to dump hex strings to the logfile.
12175 - checklocks zeroes its destroyed lock after checking memory areas.
12176 - unit test for alloc.
12177 - identifier for union in checklocks to please older compilers.
12178 - created 0.1 tag.
12181 - Reviewed checklock code.
12184 - created a wrapper around thread calls that performs some basic
12189 - Testbed works with threading (different machines, different options).
12190 - alloc work, does the special type.
12193 - do not compile fork funcs unless needed. Otherwise will give
12195 - log shows thread numbers much more nicely (and portably).
12196 - even on systems with nonthreadsafe libevent signal handling,
12199 - start of alloc framework layout.
12202 - Signals, libevent and threads work well, with libevent patch and
12204 - set ipc pipes nonblocking.
12207 - ub_thread_join portable definition.
12208 - forking is used if no threading is available.
12211 - During reloads the daemon will temporarily handle signals,
12213 - Also randomize the outgoing port range for tests.
12214 - If query list is full, will stop selecting listening ports for read.
12217 - test that uses ldns-testns -f to test threading. Have to answer
12219 - with verbose=0 operates quietly.
12222 - ub_random code used to select ID and port.
12223 - log code prints thread id.
12224 - unbound can thread itself, with reload(HUP) and quit working
12226 - don't open pipes for #0, doesn't need it.
12227 - listens to SIGTERM, SIGQUIT, SIGINT (all quit) and SIGHUP (reload).
12230 - Can do reloads on sigHUP. Everything is stopped, and freed,
12233 - Ports for queries are shared.
12234 - config file added interface:, chroot: and username:.
12235 - config file: directory, logfile, pidfile. And they work too.
12236 - will daemonize by default now. Use -d to stay in the foreground.
12237 - got BSD random[256 state] code, made it threadsafe. util/random.
12240 - Have a config file. Removed commandline options, moved to config.
12241 - tests use config file.
12244 - put -c option in man page.
12245 - minievent fd array capped by FD_SETSIZE.
12248 - Added locks code and pthread spinlock detection.
12249 - can use no locks, or solaris native thread library.
12250 - added yacc and lex configure, and config file parsing code.
12252 - put include errno.h in config.h
12255 - Created 0.0 svn tag.
12256 - added acx_pthread.m4 autoconf check for pthreads from
12257 the autoconf archive. It is GPL-with-autoconf-exception Licensed.
12258 You can specify --with-pthreads, or --without-pthreads to configure.
12261 - Updated testbed script, works better by using make on remote end.
12262 - removed check decls, we can compile without them.
12263 - makefile supports LIBOBJ replacements.
12264 - docs checks ignore compat code.
12265 - added util/mini-event.c and .h, a select based alternative used with
12266 ./configure --with-libevent=no
12268 - will not create ip6 sockets if ip6 not on the machine.
12271 - port to FreeBSD 4.11 Dec Alpha. Also works on Solaris 10 sparc64,
12273 - malloc rndstate, so that it is aligned for access.
12274 - fixed rbtree cleanup with postorder traverse.
12275 - fixed pending messages are deleted when handled.
12276 - You can control verbosity; default is not verbose, every -v
12280 - Included configure.ac changes from ldns.
12281 - detect (some) headers before the standards check.
12282 - do not use isblank to test c99, since its not available on solaris9.
12283 - review of testcode.
12286 - port to OSX: cast to int for some prints of sizet.
12287 - Makefile copies ldnstestpkts.c before doing dependencies on it.
12290 - work on fake events, first fwd replay works.
12291 - events can do timeouts and errors on queries to servers.
12292 - test package that runs replay scenarios.
12295 - work on fake events.
12298 - replay file reading.
12299 - fake event setup, it creates fake structures, and teardowns,
12304 - added tcp test.
12305 - replay storage.
12306 - testcode/fake_event work.
12309 - return answer with the same ID as query was sent with.
12310 - created udp forwarder test. I've done some effort to make it perform
12313 - set addrlen value when calling recvfrom.
12314 - comparison of addrs more portable.
12315 - LIBEVENT option for testbed to set libevent directory.
12316 - work on tcp input.
12319 - reviewed code and improved in places.
12322 - Picked up stdc99 and other define tests from ldns. Improved
12324 - defined constants for netevent callback error code.
12325 - unit test for strisip6.
12328 - Created udp4 and udp6 port arrays to provide service for both
12330 - uses IPV6_USE_MIN_MTU for udp6 ,IPV6_V6ONLY to make ip6 sockets.
12331 - listens on both ip4 and ip6 ports to provide correct return address.
12332 - worker fwder address filled correctly.
12333 - fixup timer code.
12334 - forwards udp queries and sends answer.
12337 - outside network more UDP work.
12338 - moved * closer to type.
12339 - comm_timer object and events.
12342 - Added makedist.sh script to make release tarball.
12343 - Removed listen callback layer, did not add anything.
12344 - Added UDP recv to netevent, worker callback for udp.
12345 - netevent communication reply storage structure.
12346 - minimal query header sanity checking for worker.
12347 - copied over rbtree implementation from NSD (BSD licensed too).
12348 - outgoing network query service work.
12351 - links in example/ldns-testpkts.c and .h for premade packet support.
12352 - added callback argument to listen_dnsport and daemon/worker.
12355 - unbound.8 a short manpage.
12358 - fixed memleak.
12359 - make lint works on BSD and Linux (openssl defines).
12360 - make tags works.
12361 - testbound program start.
12364 - fixed lint so it may work on BSD.
12365 - put license into header of every file.
12366 - created verbosity flag.
12367 - fixed libevent configure flag.
12368 - detects event_base_free() in new libevent 1.2 version.
12369 - getopt in daemon. fatal_exit() and verbose() logging funcs.
12370 - created log_assert, that throws assertions to the logfile.
12371 - listen_dnsport service. Binds ports.
12374 - cleaned up configure.ac.
12377 - added libevent to configure to link with.
12378 - util/netevent setup work.
12379 - configure searches for libevent.
12380 - search for libs at end of configure (when other headers and types
12382 - doxygen works with ATTR_UNUSED().
12383 - util/netevent implementation.
12386 - Designed header file for network communication.
12389 - added readme.svn and readme.tests.
12392 - Testbed script (run on multiple platforms the test set).
12394 - added unit test tpkg.
12397 - committed first set of files into subversion repository.
12400 - Added LICENSE, the BSD license.
12401 - Added doc/README with compile help.
12402 - main program stub and quiet makefile.
12403 - minimal logging service (to stderr).
12404 - added postcommit hook that serves emails.
12405 - added first test 00-lint. postcommit also checks if build succeeds.
12406 - 01-doc: doxygen doc target added for html docs. And stringent test
12410 - Created Makefile.in and configure.ac.