Unbound 1.9.0 released

Published: Tue 05 February 2019

We are pleased to announce the release of version 1.9.0 of the Unbound recursive DNS resolver.

This release contains the DNS Flag Day changes for Unbound. See the reference here, https://dnsflagday.net/ . Or this presentation: EDNS Flag Day - OARC29.pdf . The EDNS timeouts are not used to fallback to nonEDNS queries.

Out of order processing is implemented, for TCP and TLS. It can be configured with a maximum amount of memory to use to store pending answers, and the current memory usage is in the statistics output. This is with stream-wait-size in unbound.conf and mem.streamwait in unbound-control stats output. Streams that cause the total memory counted to exceed the maximum are dropped, but it is possible to get a number of responses with little memory used.

There is also TLS session resumption support, that can be enabled with the tls-session-ticket-keys option. Together with the already existing TCP fast open, enabled with --enable-tfo-server --enable-tfo-client, that enables zero RTT stream reconnections to the server. Make sure to also increase incoming-num-tcp if you expect a lot of TCP and TLS users.

Options are added to set the TLS ciphers and TLS ciphersuites from unbound.conf. This can be done with the tls-chiphers and tls-ciphersuites options.

TLS can be used from libunbound, with the ub_ctx_set_tls config call, use that together with ub_ctx_set_fwd to select DNS over TLS transport.

For a full list of changes and binary and source packages, see the download page.

Related links:

software update