We are pleased to announce the release of version 1.7.1 of the Unbound recursive DNS resolver. There are a number of bug fixes, but also some features.
This release has root key sentinel support, default on, from draft draft-ietf-dnsop-kskroll-sentinel. The root key sentinel helps the root key rollover process by providing insight into the distribution of the key material over the resolver population. For that, the resolver gives responses indicating which keys are in use by the resolver.
Crypto support for ED448 has been added. ED25519 was already supported in a previous release. The crypto algorithm code is default turned on if support is detected at configure time. The openssl 1.1.1 beta versions have ED448, and also ED25519 support.
For DNS over TLS, the tcp length is sent in the same packet as the tcp content, for the TLS connections, providing a speed up. Also TLS authentication can be enabled by specifying the TLS auth name in unbound.conf. An example config for large public cloud dns over tls resolvers is this:
server: tls-cert-bundle: "ca-bundle.pem" forward-zone: name: "." forward-addr: "184.108.40.206#dns.quad9.net" forward-addr: "220.127.116.11#cloudflare-dns.com" forward-tls-upstream: yes
It is possible to have unbound as a TLS server serve TLS on different ports, with additional-tls-port. Use this to set up dns over tls service on both ports 853 and 443.
For fast server selection, there are new options low-rtt and low-rtt-pct. For example set low-rtt-pct: 900 to enable it. These options are experimental at this time. We are interested in user experiences, and are intending to look at the expressiveness that is desired for ease of use and applicability. Also, the pct part of low-rtt-pct is technically the wrong term and we intend to replace it with promille (likely in a future release, together with user experience feedback changes).
There is hiredis support for the cachedb module.
Monitoring of the new agrressive NSEC and auth zone root local copy features is possible with statistics counters for agressive NSEC and for auth zone usage. Auth zone supports incoming NOTIFYs, from masters and from allow-notify hosts. Auth zones can be listed from unbound-control with their SOA serial number.
Unbound-control set_option and get_option needed different ':' placement, the current release allows with and without ':' syntax.
For a full list of changes and binary and source packages, see the download page.