We are pleased to announce the release of version 1.21.0 of the Unboundrecursive DNS resolver.

This release has a fix for the CAMP and CacheFlush issues. They have alow severity for Unbound, since it does not affect Unbound so much.

The Compositional Amplification (CAMP) type of attacks can lead to DoSattacks against DNS servers. In Unbound legitimate client requests tothe resolvers under typical workload are not directly affected by CAMPattacks. However we introduce a global quota for 128 outgoing packetsper query (and it's subqueries) that is never reset to prevent thecombination of CAMP with other amplification attacks in the future. Wewould like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and CaginTanir from NetSec group, ETH Zurich for discovering and notifying usabout the issue.

The CacheFlush type of attacks (NSCacheFlush, CNAMECacheFlush) try toevict cached data by utilizing rogue zones and a steady rogue stream toa resolver. Based on the zone, the stream, the configured cache sizeand the legitimate traffic, Unbound could experience a degradation ofservice if a useful entry is evicted and Unbound needs to resolve again.As a mitigation to the NSCacheFlush attack Unbound is setting a limitof 20 RRs in an NS RRset. We would like to thank Yehuda Afek, AnatBremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University andReichman University) for discovering and notifying us about the issue.

Other fixes in this release are bug fixes. Also the unbound controlcommands that flush the cache can clear both the memory and cachedbmodule cache. The ipset module can use BSD pf tables. The new optiondnstap-sample-rate: 100 can be used to log 1/N messages, for use inhigh volume server environments where the log server does not keep up.

The new DNSSEC key for the root, 38696 from 2024 has been added. It isadded to the default root keys in unbound-anchor. The content can beinspected withunbound-anchor -l. Older versions of Unbound can keepup with the root key withauto-trust-anchor-file that has RFC5011key rollover. Also unbound-anchor can fetch the keys from the websitewith a certificate if needed.

For cookie secrets, it is possible to perform rollover. The filewith cookie secret in use and the staging secret is configuredwithcookie-secret-file. With the remote control the rollover can beperformed, add_cookie_secret, activate_cookie_secret, drop_cookie_secretand print_cookie_secrets can be used for that.

Compared to the RC1, the release has a fix for module loading on Windows,and a spelling correction.