We are pleased to announce the release of version 1.7.0 of the Unbound recursive DNS resolver. Apart from numerous big fixes, this version introduces some important new features.
Authority zones is an option that makes it possible to transfer an authoritative zone to Unbound. These transfers can happen using either HTTP/HTTPS or using the traditional DNS transfer mechanisms (AXFR and IXFR). The authority zones option can be used to load a copy of the root zone as described in RFC 7706. Having the root zone loaded in a resolver can potentially decrease the round-trip times. Not having to contact the root servers also enhances privacy.
Also new in Unbound 1.7.0 is the aggressive use of the DNSSEC-validated cache, as described in RFC 8198. This feature allows Unbound to use cached NSEC records to generate negative answers within a range and positive answers from wildcards. This increases performance, decreases latency and resource utilization on both authoritative and recursive servers, and increases privacy.
Finally, we introduced the dnscrypt-provider-cert-rotated option, kindly contributed by Manu Bretelle. It allows handling multiple cert/key pairs while only distributing some of them. In order to reliably match a client magic with a given key without strong assumption as to how those were generated, we need both key and cert. Likewise, in order to know which ES version should be used. On the other hand, when rotating a cert, it can be desirable to only serve the new cert but still be able to handle clients that are still using the old certs's public key. The dnscrypt-provider-cert-rotated allows to instruct Unbound to not publish the cert as part of the DNS's provider_name's TXT answer.
For a full list of changes and binary and source packages, see the download page.