We are pleased to announce the release of version 1.9.0 of the Unbound recursive DNS resolver.
This release contains the DNS Flag Day changes for Unbound. See the reference here, https://dnsflagday.net/ . Or this presentation: EDNS Flag Day - OARC29.pdf . The EDNS timeouts are not used to fallback to nonEDNS queries.
Out of order processing is implemented, for TCP and TLS. It can be configured with a maximum amount of memory to use to store pending answers, and the current memory usage is in the statistics output. This is with stream-wait-size in unbound.conf and mem.streamwait in unbound-control stats output. Streams that cause the total memory counted to exceed the maximum are dropped, but it is possible to get a number of responses with little memory used.
There is also TLS session resumption support, that can be enabled with the tls-session-ticket-keys option. Together with the already existing TCP fast open, enabled with --enable-tfo-server --enable-tfo-client, that enables zero RTT stream reconnections to the server. Make sure to also increase incoming-num-tcp if you expect a lot of TCP and TLS users.
Options are added to set the TLS ciphers and TLS ciphersuites from unbound.conf. This can be done with the tls-chiphers and tls-ciphersuites options.
TLS can be used from libunbound, with the ub_ctx_set_tls config call, use that together with ub_ctx_set_fwd to select DNS over TLS transport.
For a full list of changes and binary and source packages, see the download page.