Unbound 1.18.0 released

We are pleased to announce the release of version 1.18.0 of the Unbound recursive DNS resolver.

This release adds DNS cookies downstream, support to respond with EDE error codes from cache, NAT64 support, and the capability to use a socket queue timeout to discard old packets, and other features and bug fixes.

The downstream DNS server cookies are from RFC7873 and RFC9018, it is turned on with answer-cookie: yes. It generates a random cookie secret, but for anycast setups the cookie secret can be configured with cookie-secret: "128bithex" with the same value as the other instances. Non cookie traffic can be disallowed with the allow_cookie acl option for access-control. Queries with valid cookie bypass the ordinary ratelimit, but a ratelimit can be configured for cookie queries with ip-ratelimit-cookie: 100. The statistics has counters for query_cookie_valid and query_cookie_client and query_cookie_invalid.

When queries come in with CD flag, a DNSSEC validation EDE can be returned, with information regarding a failure. EDE error information is also stored in the cache with the query responses. There is also EDE error information stored for the cachedb and the subnetcache.

There is NAT64 support, that is enabled with do-nat64: yes. The NAT64 prefix can be configured too, if not the default nat64-prefix: 64:ff9b::0/96. This is useful for an IPv6 only host where Unbound is running, so that Unbound can use NAT64 to connect to IPv4 servers.

The new default for the maximum UDP response size is 1232, with max-udp-size: 1232. This is similar to other resolvers. The new default is smaller and that makes it harder to get large responses. Thanks to Xiang Li, from NISL Lab, Tsinghua University.

There is a new option harden-unknown-additional: yes. This removes unknown records from the authority and additional section. This stops unknown records from being copied from the upstream to the downstream client, potentially exposing those clients to the extra records. Default is no, because it could hamper future protocol developments that want to add records. Thanks to Xiang Li, from NISL Lab, Tsinghua University.

With the sock-queue-timeout: 3 option kernel timestamps are turned on for UDP queries, and old packets are dropped. Queries that have waited in the socket buffer for a long time are then discarded, and is useful if the host was not running for a while. The statistics has num.queries_timed_out and query.queue_time_us.max counters.

The local-zone type block_a is for when queries to IPv4 have to be stopped to force IPv6 usage. It stops type A queries with nodata, and transparently allows other queries.

The redis server can be contacted over a unix socket with redis-server-path: "/var/lib/redis/redis-server.sock". The redis server password can be configured with redis-server-password: "password".

The number of hashtable collisions is logged in the statistics counters msg.cache.max_collisions and rrset.cache.max_collisions. It can be used to monitor for mistakes where the wrong or same hash value occurs too frequently.

The repository does not have the bison and flex generated output in it, so these tools are necessary to compile from a checkout, the tarball distribution contains pregenerated files and can use either those files or bison and flex tools on the compile system.

If kernel timestamps are enabled, with the sock-queue-timeout option, they are also used to set the time for dnstap logs.

There is a yocto compatible init script available in the contrib directory of the source code, unbound.init_yocto. The number of cachedb hits from cache is output in num.query.cachedb. There is support for the dohpath parameter for the SVCB record type. Prefetch is supported for subnet cache entries. Detection of the python paths on the system has been expanded.

For a full list of changes and binary and source packages, see the download page.