Unbound 1.9.2 released (june 17)

Unbound 1.9.2 has been released on june 17. You can download it here, some new features, lots of bug fixes.

I've setup a new pihole (version 4.3), on Raspbian (version april 2019), Pi model 3B.

The following instruction topics have been tested, they all appear to work without problems (you need to replace 1.9.1 with 1.9.2):

  • compiling unbound from source here.
  • monitor unbound with munin here.
  • using unbound as unfiltered DNS here.

Interesting topic on reddit here, unbound is going to be audited.

1 Like

One new feature is

PR #16: XoT support, AXFR over TLS, turn it on with master: <ip>#<authname> in unbound.conf. This uses TLS to download the AXFR (or IXFR).

I have XoT running successfully since yesterday.

Could you please explain this with some (possibly a lot) more detail, benefits, configuration, example, …
I found this article, that explains it in general, what I want to know:

  • Do I need to use DNS-over-TLS, in order to use this, or can I use this with my current configuration?
  • Do you need to configure anything on the clients?
  • Will it work with all browsers?

Thanks for your time and effort.

Sorry, my fault.

As I also using

 auth-zone:
   ...
   url: "https://www.internic.net/domain/root.zone"
   ...

I thought XoT works, but it isn't.

Do you know if there is a Debian/Raspbian package or is compiling from source the only way to go?

there is a deb package but not of the updated version you would need to compile from source

If you don't care about security and new features, e.g. latest version, you can follow this guide from the pihole developers. You will NOT be able to use the more recent features, since the version in Raspbian (and probably in Debian) distributions aren't the most recent ones (read old...).

The guides I mentioned, opening this topic, assume a compiled version, never tested if they would work on the version included with Raspbian.

Is unbound 1.6x (ships with Stretch), insecure?

Look at the number of bug fixes, made to unbound, since the release of 1.6 (hit toggle older versions). I would assume the latest version is the better choice.

Assume? From this you conclude that if you don't run the latest version, you don't care about security?

I was the OP on this post that prompted the detailed instructions on compiling from source.

I care about security. Quite a bit. But I also care about convenience. I don't want to have to uninstall/purge and backup/restore my settings each time there is an update.

What does one need to do to encourage an updated Raspian/Debian package for Unbound?

It seems like this community has a large enough critical mass of Unbound users to encourage one.

Change.org petition anyone? I jest. But only slightly.

I sent the following to the Unbound Debian/Raspbian package maintainers via email:

Hello,

I'm a user of Unbound on Raspbian (in concert with a Pi-hole).

I noticed that Unbound has recently been updated to version 1.9.2, however the stable version available on Raspbian Stretch is still 1.6.0.

Is there any possibility that this package will be updated to a more current version of Unbound sometime soon?

There is a large community of Unbound users on Raspbian due to the Pi-hole. I know many would appreciate an updated package.

Please let me know if this is possible and likely. Thank you.

Best,

JAW

1 Like

The Raspbian update frequency isn't impressive at all. The release dates, since I started using pihole:

2016-11-25-raspbian-jessie-lite.img
2017-01-11-raspbian-jessie-lite.img
2017-02-16-raspbian-jessie-lite.img
2017-03-02-raspbian-jessie-lite.img
2017-04-10-raspbian-jessie-lite.img
2017-06-21-raspbian-jessie-lite.img
2017-07-05-raspbian-jessie-lite.img
2017-08-16-raspbian-stretch-lite.img
2017-09-07-raspbian-stretch-lite.img
2017-11-29-raspbian-stretch-lite.img
2018-03-13-raspbian-stretch-lite.img
2018-04-18-raspbian-stretch-lite.img
2018-06-27-raspbian-stretch-lite.img
2018-10-09-raspbian-stretch-lite.img
2018-11-13-raspbian-stretch-lite.img
2019-04-08-raspbian-stretch-lite.img

2017: 9 releases
2018: 5 releases
2019: 1 release

Of course you have to sudo apt-get update && sudo DEBIAN_FRONTEND=noninteractive apt-get -yq upgrade to keep your OS current, OR implement auto updating, using webmin (see my manual here, chapter 4, section 11), but this will NOT solve the old versions problem.
Raspbian includes a lot of external software, such as unbound, which is great for testing purposes, but if you're going to run these in a "production" environment, you should use compiled software, whenever possible, that is, if you want current releases.

Thanks for your contributions.

If you don't mind sharing; what would one need to do to (i) preserve their Unbound configuration and (ii) uninstall/purge completely before following the compiling instructions you provided earlier?

I'm afraid I cannot help you there.
Whenever there is a new release of Raspbian, unbound, pihole, knot-resolver, … I setup a new pihole, using another SD card, thus rotating them (3 of them), so I can always fall back on a working SD card, holding the previous working configuration.

In order to do that, I've setup WAMP on one of my windows computers, holding all the configuration files and scripts, needed to make this as easy as possible, transferring them to the new SD card with wget. Currently 31 scripts to execute, total execution time about an hour.

Don't ask, I cannot share the scripts, as they contain passwords and SSH keys, needed to make it all work. You'll have to make your own, but in the end, this will lead to a fast and error free setup, using the latest software.

example of such a script:

#!/bin/bash

# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
  echo "This script must be run as root" 1>&2
  exit 1
fi

# ntp
sudo apt-get -yq install ntp
file=/etc/ntp.conf
#sudo sed -i 's/debian.pool.ntp.org/europe.pool.ntp.org/g' $file
sudo sed -i 's/.*debian.pool.ntp.org/#&/' $file
sudo sed -i '/You do need to talk to an NTP server/aserver 192.168.xxx.yyy' $file

sudo timedatectl set-timezone Europe/Brussels
sudo /etc/init.d/ntp stop
sudo ntpd -gq
sudo /etc/init.d/ntp start

sudo  wget http://192.168.xxx.zzz/raspbian/home/pi/ntpcheck.sh -O /home/pi/ntpcheck.sh
sudo chmod +x /home/pi/ntpcheck.sh
sudo  wget http://192.168.xxx.zzz/raspbian/etc/cron.d/ntpcheck -O /etc/cron.d/ntpcheck

Thanks for the input. I'll sic my 15-year-old on the scripting.

I like your approach and am considering setting up a second Pi-hole for redundancy.

Debian has their own release schedule and there really is nothing that will change that. The reason people choose Debian is for this policy. When running on a server you want packages that are stable, tested, used, tested, and stable. (Redundancy intended.) But that doesn't mean that packages are completely frozen in place once they release. If a security issue is found then Debian will release updates with fixes picked and ported. See https://metadata.ftp-master.debian.org/changelogs//main/u/unbound/unbound_1.6.0-3+deb9u2_changelog for unbound and notice all the upstream security fixes that are backported.

New features are not typically a reason for a package update once the release has frozen.

2 Likes

meaning ?
reference?

I can't seem to get qname minimization to work when compiling 1.9.2. Never tested it with earlier versions though. When running "dig txt qnamemintest.internet.nl" it says it's not working, it works with Knot. Any ideas?

Too bad Unbound seems stalled in Debian, now with Buster being released soon as well.

Interesting, you consider 1.9.0 to be dead. Debian -- Details of package unbound in buster

1 Like