Software-update: Unbound 1.20.0

Als je een dns-look-up uitvoert, begint een recursor in eerste instantie met het stellen van de look-upvraag aan een dns-rootserver. Deze kan dan doorverwijzen naar andere servers, vanaf waar weer doorverwezen kan worden naar andere servers enzovoort, totdat uiteindelijk een server is bereikt die het antwoord weet of weet dat de look-up niet mogelijk is. Van dit laatste kan sprake zijn als de naam niet bestaat of de servers niet reageren. Het proces van het langslopen van verschillende authoritative servers heet recursie. Unbound is een dns-recursor met ondersteuning voor moderne standaarden, zoals Query Name Minimisation, Aggressive Use of Dnssec-Validated Cache en authority zones. Versie 1.20 is uitgebracht en hierin zijn de volgende veranderingen en verbeteringen aangebracht:

Features

• The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue.
• Merge #1027: Introduce 'cache-min-negative-ttl' option.
• Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream.
• Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response.
• Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid?

Bug Fixes

• Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it.
• Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults.
• Remove unused portion from iter_dname_ttl unit test.
• Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME.
• Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it.
• Fix doc test so it ignores but outputs unsupported doxygen options.
• Fix #1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload.
• Merge #1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout.
• Fix #1029: rpz trigger clientip and action rpz-passthru not working as expected.
• Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger.
• Fix to unify codepath for local alias for rpz cname action override.
• Fix rpz for cname override action after nsdname and nsip triggers.
• Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does.
• Merge #1030: Persist the openssl and expat directories for repeated Windows builds.
• Fix that rpz CNAME content is limited to the max number of cnames.
• Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging.
• Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region.
• Add rpz unit test for nsip action override.
• Fix rpz for qtype CNAME after nameserver trigger.
• Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME.
• Fix localdata and rpz localdata to match CNAME only if no direct type match is available.
• Merge #831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi).
• For #831: Format text, use exclamation icon and explicit label names.
• Fix name of unit test for subnet cache response.
• Fix #1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations.
• Fix for #1032, add safeguard to make table space positive.
• Fix comment in lruhash space function.
• Fix to add unit test for lruhash space that exercises the routines.
• Fix that when the server truncates the pidfile, it does not follow symbolic links.
• Fix that the server does not chown the pidfile.
• Fix #1034: DoT forward-zone via unbound-control.
• Fix for crypto related failures to have a better error string.
• Fix #1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives.
• Fix #369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching.
• Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c.
• For #1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports.
• Fix comment syntax for view function views_find_view.
• Fix #595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file.
• Fixup compile without cachedb.
• Add test for cachedb serve expired.
• Extended test for cachedb serve expired.
• Fix makefile dependencies for fake_event.c.
• Fix cachedb for serve-expired with serve-expired-reply-ttl.
• Fix to not reply serve expired unless enabled for cachedb.
• Fix cachedb for serve-expired with serve-expired-client-timeout.
• Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb.
• Fixup cachedb to not refetch when serve-expired-client-timeout is used.
• Merge #1049 from Petr Menšík: Py_NoSiteFlag is not needed since Python 3.8
• Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
• Fix configure, autoconf for #1048.
• Add checklock feature verbose_locking to trace locks and unlocks.
• Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks.
• Merge #1053: Remove child delegations from cache when grandchild delegations are returned from parent.
• Fix ci workflow for macos for moved install locations.
• Fix configure flto check error, by finding grep for it.
• Merge #1041: Stub and Forward unshare. This has one structure for them and fixes #1038: fatal error: Could not initialize thread / error: reading root hints.
• Fix to disable fragmentation on systems with IP_DONTFRAG, with a nonzero value for the socket option argument.
• Fix doc unit test for out of directory build.
• Fix cachedb with serve-expired-client-timeout disabled. The edns subnet module deletes global cache and cachedb cache when it stores a result, and serve-expired is enabled, so that the global reply, that is older than the ecs reply, does not return after the ecs reply expires.
• Add unit tests for cachedb and subnet cache expired data.
• Man page entry for unbound-checkconf -q.
• Cleanup unnecessary strdup calls for EDE strings.
• Fix doxygen comment for errinf_to_str_bogus.