unbound (1.4.8-0maemo0~devel2~svn2360) fremantle; urgency=low

  ** 21 December 2010: Wouter
        - algorithm compromise protection using the algorithms signalled in
          the DS record.  Also, trust anchors, DLV, and RFC5011 receive this,
          and thus, if you have multiple algorithms in your trust-anchor-file
          then it will now behave different than before.  Also, 5011 rollover
          for algorithms needs to be double-signature until the old algorithm
          is revoked.
          It is not an option, because I see no use to turn the security off.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 22 Dec 2010 00:00:00 +0200

unbound (1.4.8-0maemo0~devel2~svn2355) fremantle; urgency=low

  ** 17 December 2010: Wouter
        - squelch 'tcp connect: bla' in logfile, (set verbosity 2 to see them).
        - fix validation in this case: CNAME to nodata for co-hosted opt-in
          NSEC3 insecure delegation, was bogus, fixed to be insecure.

  ** 16 December 2010: Wouter
        - Fix our 'BDS' license (typo reported by Xavier Belanger).

  ** 10 December 2010: Wouter
        - iana portlist updated.
        - review changes for unbound-anchor.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sun, 19 Dec 2010 00:00:00 +0200

unbound (1.4.8-0maemo0~devel2~svn2350) fremantle; urgency=low

  ** 2 December 2010: Wouter
        - feature typetransparent localzone, does not block other RR types.

  ** 1 December 2010: Wouter
        - Fix bug#338: print address when socket creation fails.

  ** 30 November 2010: Wouter
        - Fix storage of EDNS failures in the infra cache.
        - iana portlist updated.

  ** 18 November 2010: Wouter
        - harden-below-nxdomain option, default off (because very old
          software may be incompatible).  We could enable it by default in
          the future.

  ** 17 November 2010: Wouter
        - implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
        - make test output nicer.

  ** 15 November 2010: Wouter
        - silence 'tcp connect: broken pipe' and 'net down' at low verbosity.
        - iana portlist updated.
        - so-sndbuf option for very busy servers, a bit like so-rcvbuf.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Thu, 02 Dec 2010 00:00:00 +0200

unbound (1.4.8-0maemo0~devel2~svn2340) fremantle; urgency=low

  ** 9 November 2010: Wouter
        - unbound-anchor compiles with openssl 0.9.7.

  ** 8 November 2010: Wouter
        - release tag 1.4.7.
        - trunk is version 1.4.8.
        - Be lenient and accept imgw.pl malformed packet (like BIND).

  ** 5 November 2010: Wouter
        - do not synthesize a CNAME message from cache for qtype DS.

  ** 4 November 2010: Wouter
        - Use central entropy to seed threads.

  ** 3 November 2010: Wouter
        - Change the rtt used to probe EDNS-timeout hosts to 1000 msec.

  ** 2 November 2010: Wouter
        - tag 1.4.7rc1.
        - code review.

  ** 1 November 2010: Wouter
        - GOST code enabled by default (RFC 5933).

 -- Hauke Lampe <lampe@hauke-lampe.de>  Tue, 09 Nov 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel2~svn2322) fremantle; urgency=low

  ** 27 October 2010: Wouter
        - Fix uninit value in dump_infra print.
        - Fix validation failure for parent and child on same server with an
          insecure childzone and a CNAME from parent to child.
        - Configure detects libev-4.00.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sun, 31 Oct 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel2~svn2313) fremantle; urgency=low

  ** 26 October 2010: Wouter
        - dump_infra and flush_infra commands for unbound-control.
        - no timeout backoff if meanwhile a query succeeded.
        - Change of timeout code.  No more lost and backoff in blockage.
          At 12sec timeout (and at least 2x lost before) one probe per IP
          is allowed only.  At 120sec, the IP is blocked.  After 15min, a
          120sec entry has a single retry packet.

  ** 25 October 2010: Wouter
        - Configure errors if ldns is not found.

  ** 22 October 2010: Wouter
        - Windows 7 fix for the installer.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Tue, 26 Oct 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel2~svn2303) fremantle; urgency=low

  * builder did not deploy package. retry.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Fri, 22 Oct 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2303) fremantle; urgency=low

  ** 21 October 2010: Wouter
        - Fix bug where fallback_tcp causes wrong roundtrip and edns
          observation to be noted in cache.  Fix bug where EDNSprobe halted
          exponential backoff if EDNS status unknown.
        - new unresponsive host method, exponentially increasing block backoff.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Thu, 21 Oct 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2302) fremantle; urgency=low

  ** 20 October 2010: Wouter
        - interface automatic works for some people with ip6 disabled.
          Therefore the error check is removed, so they can use the option.

  ** 19 October 2010: Wouter
        - Fix for request list growth, if a server has long timeout but the
          lost counter is low, then its effective rtt is the one without
          exponential backoff applied.  Because the backoff is not working.
          The lost counter can then increase and the server is blacklisted,
          or the lost counter does not increase and the server is working
          for some queries.

  ** 18 October 2010: Wouter
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 20 Oct 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2286) fremantle; urgency=low

  * re-upload, auto-builder failed to deploy package

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 13 Oct 2010 00:01:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2282) fremantle; urgency=low

  * added missing symlink for unbound-anchor
  * added libexpat1 to unbound-tool dependencies

  ** 13 October 2010: Wouter
        - Fix TCP so it uses a random outgoing-interface.
        - unbound-anchor handles ADDPEND keystate.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 13 Oct 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2277) fremantle; urgency=low

  * added unbound-anchor to package unbound-tools

  ** 11 October 2010: Wouter
        - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
          the zone has a secure delegation hosted on the same server did not
          verify as secure (it was insecure by mistake).
        - iana portlist updated.
        - ldns tarball updated (for reading cachedumps with bad RR data).

  ** 1 October 2010: Wouter
        - test for unbound-anchor. fix for reading certs.
        - Fix alloc_reg_release for longer uptime in out of memory conditions.

  ** 28 September 2010: Wouter
        - unbound-anchor working, it creates or updates a root.key file.
          Use it before you start the validator (e.g. at system boot time).

  ** 27 September 2010: Wouter
        - iana portlist updated.

  ** 24 September 2010: Wouter
        - bug#329: in example.conf show correct ipv4 link-local 169.254/16.

  ** 23 September 2010: Wouter
        - unbound-anchor app, unbound requires libexpat (xml parser library).

  ** 22 September 2010: Wouter
        - compliance with draft-ietf-dnsop-default-local-zones-14, removed
          reverse ipv6 orchid prefix from builtin list.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Mon, 11 Oct 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2239) fremantle; urgency=low

  ** 17 September 2010: Wouter
        - DLV has downgrade protection again, because the RFC says so.
        - iana portlist updated.

  ** 16 September 2010: Wouter
        - Algorithm rollover operational reality intrudes, for trust-anchor,
          5011-store, and DLV-anchor if one key matches it's good enough.
        - iana portlist updated.
        - Fix reported validation error in out of memory condition.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sun, 19 Sep 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2234) fremantle; urgency=low

  ** 15 September 2010: Wouter
        - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.

  ** 14 September 2010: Wouter
        - increased mesh-max-activation from 1000 to 3000 for crazy domains
          like _tcp.slb.com with 262 servers.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Thu, 16 Sep 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2228) fremantle; urgency=low

  ** 13 September 2010: Wouter
        - bug#327: Fix for cannot access stub zones until the root is primed.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Mon, 13 Sep 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2227) fremantle; urgency=low

  ** 9 September 2010: Wouter
        - unresponsive servers are not completely blacklisted (because of
          firewalls), but also not probed all the time (because of the request
          list size it generates).  The probe rate is 1%.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sat, 11 Sep 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2224) fremantle; urgency=low

  ** 20 August 2010: Wouter
        - openbsd-lint fixes: acl_list_get_mem used if debug-alloc enabled.
          iterator get_mem includes priv_get_mem.  delegpt nodup removed.
          listen_pushback, query_info_allocqname, write_socket, send_packet,
          comm_point_set_cb_arg and listen_resume removed.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sat, 21 Aug 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2221) fremantle; urgency=low

  ** 19 August 2010: Wouter
        - Fix bug#321: resolution of rs.ripe.net artifacts with 0x20.
          Delegpt structures checked for duplicates always.
          No more nameserver lookups generated when depth is full anyway.
        - example.conf notes how to do DNSSEC validation and track the root.
        - iana portlist updated.

  ** 18 August 2010: Wouter
        - Fix bug#322: configure does not respect CFLAGS on Solaris.
          Pass CFLAGS="-xO4 -xtarget=generic" on the configure command line
          if use sun-cc, but some systems need different flags.

  ** 16 August 2010: Wouter
        - Fix acx_nlnetlabs.m4 configure output for autoconf-2.66 AS_TR_CPP
          changes, uses m4_bpatsubst now.
        - make test (or make check) should be more portable and run the unit 
          test and testbound scripts. (make longtest has special requirements).

 -- Hauke Lampe <lampe@hauke-lampe.de>  Fri, 20 Aug 2010 00:00:00 +0200

unbound (1.4.7-0maemo0~devel1~svn2212) fremantle; urgency=low

  ** 13 August 2010: Wouter
        - More pleasant remote control command parsing.
        - documentation added for return values reported by doxygen 1.7.1.
        - iana portlist updated.

  ** 9 August 2010: Wouter
        - Fix name of rrset printed that failed validation.

  ** 5 August 2010: Wouter
        - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.

  ** 4 August 2010: Wouter
        - Fix validation in case a trust anchor enters into a zone with
          unsupported algorithms.

  ** 3 August 2010: Wouter
        - updated ldns tarball with bugfixes.
        - release tag 1.4.6.
        - trunk becomes 1.4.7 develop.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sat, 14 Aug 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2201) fremantle; urgency=low

  ** 22 July 2010: Wouter
        - more error details on failed remote control connection.

  ** 15 July 2010: Wouter
        - rlimit adjustments for select and ulimit can happen at the same time.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Mon, 26 Jul 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2198) fremantle; urgency=low

  ** 14 July 2010: Wouter
        - Donation text added to README.
        - Fix integer underflow in prefetch ttl creation from cache.  This
          fixes a potential negative prefetch ttl.

  ** 12 July 2010: Wouter
        - Changed the defaults for num-queries-per-thread/outgoing-range.
          For builtin-select: 512/960, for libevent 1024/4096 and for
          windows 24/48 (because of win api).  This makes the ratio this way
          to improve resilience under heavy load.  For high performance, use
          libevent and possibly higher numbers.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 14 Jul 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2190) fremantle; urgency=low

  ** 10 July 2010: Wouter
        - GOST enabled if SSL is recent and ldns has GOST enabled too.
        - ldns tarball updated.

  ** 9 July 2010: Wouter
        - iana portlist updated.
        - Fix validation of qtype DNSKEY when a key-cache entry exists but
          no rr-cache entry is used (it expired or prefetch), it then goes
          back up to the DS or trust-anchor to validate the DNSKEY.

  ** 7 July 2010: Wouter
        - Neat function prototypes, unshadowed local declarations.

  ** 6 July 2010: Wouter
        - failure to chown the pidfile is not fatal any more.
        - testbound uses UTC timezone.
        - ldns tarball updated (ports and works on Minix 3.1.7).  On Minix, add
          /usr/gnu/bin to PATH, use ./configure AR=/usr/gnu/bin/gar and gmake.

  ** 5 July 2010: Wouter
        - log if a server is skipped because it is on the donotquery list,
          at verbosity 4, to enable diagnosis why no queries to 127.0.0.1.
        - added feature to print configure date, target and options with -h.
        - added feature to print event backend system details with -h.
        - wdiff is not actually required by make test, updated requirements.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sun, 11 Jul 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2173) fremantle; urgency=low

  ** 1 July 2010: Wouter
        - Fix RFC4035 compliance with 2.2 statement that the DNSKEY at apex
          must be signed with all algorithms from the DS rrset at the parent.
          This is now checked and becomes bogus if not.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Fri, 02 Jul 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2171) fremantle; urgency=low

  ** 28 June 2010: Wouter
        - Fix jostle list bug found by Vince (luoce@cnnic), it caused the qps
          in overload situations to be about 5 qps for the class of shortly
          serviced queries.
          The capacity of the resolver is then about (numqueriesperthread / 2)
          / (average time for such long queries) qps for long queries.
          And about (numqueriesperthread / 2)/(jostletimeout in whole seconds)
          qps for short queries, per thread.
        - Fix the max number of reply-address count to be applied for duplicate
          queries, and not for new query list entries.  This raises the memory
          usage to a max of (16+1)*numqueriesperthread reply addresses.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 30 Jun 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2169) fremantle; urgency=low

  ** 25 June 2010: Wouter
        - Fix handling of corner case reply from lame server, follows rfc2308.
          It could lead to a nodata reply getting into the cache if the search
          for a non-lame server turned up other misconfigured servers.
        - unbound.h has extern "C" statement for easier include in c++.

  ** 23 June 2010: Wouter
        - iana portlist updated.
        - makedist upgraded cross compile openssl option, like this: 
          ./makedist.sh -s -wssl openssl-1.0.0a.tar.gz -w --enable-gost

  ** 22 June 2010: Wouter
        - Unbound reports libev or libevent correctly in logs in verbose mode.
        - Fix to unload gost dynamic library module for leak testing.

  ** 18 June 2010: Wouter
        - iana portlist updated.

  ** 17 June 2010: Wouter
        - Add AAAA to root hints for I.ROOT-SERVERS.NET.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sat, 26 Jun 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2156) fremantle; urgency=low

  ** 16 June 2010: Wouter
        - Fix assertion failure reported by Kai Storbeck from XS4ALL, the
          assertion was wrong.
        - updated ldns tarball.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 16 Jun 2010 00:00:00 +0200

unbound (1.4.6-0maemo0~devel1~svn2153) fremantle; urgency=low

  ** 15 June 2010: Wouter
        - Fix TCPreply on systems with no writev, if just 1 byte could be sent.
        - Fix to use one pointer less for iterator query state store_parent_NS.
        - makedist crosscompile to windows uses builtin ldns not host ldns.
        - Max referral count from 30 to 130, because 128 one character domains
          is valid DNS.
        - added documentation for the histogram printout to syslog.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Tue, 15 Jun 2010 00:01:00 +0200

unbound (1.4.5-0maemo0) fremantle; urgency=low

  ** 15 June 2010: Wouter
        - tag 1.4.5 created.
        - trunk contains 1.4.6 in development.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Tue, 15 Jun 2010 00:00:00 +0200

unbound (1.4.5-0maemo0~devel1~svn2146) fremantle; urgency=low

  ** 11 June 2010: Wouter
        - When retry to parent the retrycount is not wiped, so failed 
          nameservers are not tried again.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sat, 12 Jun 2010 00:00:00 +0200

unbound (1.4.5-0maemo0~devel1~svn2144) fremantle; urgency=low

  ** 10 June 2010: Wouter
        - Fix bug where a long loop could be entered, now cycle detection
          has a loop-counter and maximum search amount.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Thu, 10 Jun 2010 00:00:00 +0200

unbound (1.4.5-0maemo0~devel1~svn2143) fremantle; urgency=low

  ** 4 June 2010: Wouter
        - iana portlist updated.
        - 1.4.5rc1 tag created.

  ** 3 June 2010: Wouter
        - ldns tarball updated, 1.6.5.
        - review comments, split dependency cycle tracking for parentside
          last resort lookups for A and AAAA so there are more lookup options.

  ** 2 June 2010: Wouter
        - Fix compile warning if compiled without threads.
        - updated ldns-tarball with current ldns svn (pre 1.6.5).
        - GOST disabled-by-default, the algorithm number is allocated but the
          RFC is still has to pass AUTH48 at the IETF.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Fri, 04 Jun 2010 00:00:00 +0200

unbound (1.4.5-0maemo0~devel1~svn2129) fremantle; urgency=low

  ** 1 June 2010: Wouter
        - Ignore Z flag in incoming messages too.
        - Fix storage of negative parent glue if that last resort fails.
        - libtoolize 2.2.6b, autoconf 2.65 applied to configure.
        - new splint flags for newer splint install.

  ** 31 May 2010: Wouter
        - Fix AD flag handling, it could in some cases mistakenly copy the AD 
          flag from upstream servers.
        - alloc_special_obtain out of memory is not a fatal error any more,
          enabling unbound to continue longer in out of memory conditions.
        - parentside names are dispreferred but not said to be dnssec-lame.
        - parentside check for cached newname glue.
        - fix parentside and querytargets modulestate, for dump_requestlist.
        - unbound-control-setup makes keys -rw-r--- so not all users permitted.
        - fix parentside from cache to be marked dispreferred for bad names.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Tue, 01 Jun 2010 00:00:00 +0200

unbound (1.4.5-0maemo0~devel1~svn2119) fremantle; urgency=low

  ** 28 May 2010: Wouter
        - iana portlist updated.
        - parent-child disagreement approach altered.  Older fixes are
          removed in place of a more exhaustive search for misconfigured data
          available via the parent of a delegation.
          This is designed to be throttled by cache entries, with TTL from the
          parent if possible.  Additionally the loop-counter is used.
          It also tests for NS RRset differences between parent and child.
          The fetch of misconfigured data should be more reliable and thorough.
          It should work reliably even with no or only partial data in cache.
          Data received from the child (as always) is deemed more
          authoritative than information received from the delegation parent.
          The search for misconfigured data is not performed normally.

  ** 26 May 2010: Wouter
        - Contribution from Migiel de Vos (Surfnet): nagios patch for
          unbound-host, in contrib/ (in the source tarball).  Makes
          unbound-host suitable for monitoring dnssec(-chain) status.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Fri, 28 May 2010 00:00:00 +0200

unbound (1.4.5-0maemo0~devel1~svn2115) fremantle; urgency=low

  * dh_makeshlibs breaks on Maemo autobuilder, works in local SDK
  * debug: disable dh_makeshlibs, works in local SDK, see what breaks it
    * without makeshlibs, shlibdeps doesn't find libunbound2
    * added static deps
    * test with mockup next
  * note to self: changing targets:
    *  make realclean; svn update; dpkg-buildpackage

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sat, 22 May 2010 00:01:00 +0200

unbound (1.4.5-0maemo0~devel~svn2115) fremantle; urgency=low

  ** 21 May 2010: Wouter
        - EDNS timeout code will not fire if EDNS status already known.
        - EDNS failure not stored if EDNS status known to work.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Sat, 22 May 2010 00:00:00 +0200

unbound (1.4.5-0~ppa~lampe1+svn2114) unstable; urgency=low

  ** 9 May 2010: Wouter
        - Fix resolution for domains like safesvc.com.cn.  If the iterator
          can not recurse further and it finds the delegation in a state
          where it would otherwise have rejected it outhand if so received
          from a cache lookup, then it can try to ask higherup (with loop
          protection).
        - Fix comments in iter_utils:dp_is_useless.

  ** 18 May 2010: Wouter
        - Fix various compiler warnings from the clang llvm compiler.
        - iana portlist updated.

 -- Hauke Lampe <lampe@hauke-lampe.de>  Wed, 19 May 2010 00:00:00 +0200

unbound (1.4.5-0~ppa~lampe1+svn2110) unstable; urgency=low

  * svn rev. 2110

 -- Hauke Lampe <lampe@hauke-lampe.de>  Tue, 11 May 2010 00:00:00 +0200

