We are pleased to announce the release of version 1.22.0 of the Unboundrecursive DNS resolver.
This release has an option to harden against unverified glue, itis enabled withharden-unverified-glue: yes. It was contributedby Karthik Umashankar from Microsoft. This protects Unbound againstbad glue, that is out of zone, by performing a lookup for it.Because it uses the original information as a last resort if nothingworks, it should not give lookup failures, and add protection.
There are options to configure the scrubbing for NS records andthe CNAME scrubbing and the max global quota lookup limit fromprevious security fix releases. They can be configured with theoptionsiter-scrub-ns,iter-scrub-cname andmax-global-quota.
For redis use, with cachedb, it is possible to specify thetimeout for the initial connection separately from the timeoutfor commands. With the optionsredis-command-timeout: 20 andredis-connect-timeout: 200 they can be set separately, fora longer connect attempt, but a short command timeout to keepresolution faster.
It is possible to log with ISO8601 format withlog-time-iso: yesthis also logs time in milliseconds. Useful if the server writes tofile, syslog may have its own format.
DNS over QUIC is support is added, if compiled with libngtcp2 andwith the openssl+quic that it uses. Use--with-libngtcp2 for that,and enable it withquic-port: 853. There is a post about itonhttps://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is toappear after the release].
For a full list of changes, binary and source packages, see thedownload page.
Related links: