Back

NLnet Labs
Patches for UNBOUND x86
Windows
8 patches available
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. Late 2019, Unbound has been rigorously audited, which means that the code base is more resilient than ever.
UNBOUND x86 Version 1.23.1.0
Release Date
7/16/2025
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

16 July; 2025$$$Linux and *BSD sources and binaries can easily be obtained using your (favorite) package manager or ports collection.$$$Bug Fixes$$$Fix RebirthDay Attack CVE-2025-5994; reported by Xiang Li from AOSP Lab Nankai University.
UNBOUND x86 Version 1.23.0.0
Release Date
4/24/2025
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Features$$$Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds.$$$Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767.$$$For #1175; the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767.$$$For #1207: [FR] Support for RESINFO RRType 261 (RFC9606); add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.$$$Add resolver.arpa and service.arpa to the default locally served zones.$$$Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread; then only briefly pauses the service threads; that keep running. DNS service is only interrupted briefly; less than a second.$$$Merge #1019: Redis read-only replica support. Introduces new redis-replica-* options for the Redis cache backend.$$$Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option dns-error-reporting and new statistics for num.dns_error_reports.$$$Bug Fixes$$$Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0.$$$Fix #1163: Typos in unbound.conf documentation.$$$Merge #1159: Stats for discard-timeout and wait-limit.$$$Add test case for #1159.$$$Some clean up for stat_values.test.$$$Merge #1170 from Melroy van den Berg; Fix chroot manpage description.$$$Merge #1157 from Liang Zhu; Fix heap corruption when calling ub_ctx_delete in Windows.$$$Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features.$$$Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule.$$$Fix SETEX check during Redis (re)initialization.$$$Fix for the serve expired DNSSEC information fix; it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated; but as a consequence no longer has certain expired information around for later dnssec valid expired responses.$$$Fix to log redis timeout error string on failure.$$$More descriptive text for harden-algo-downgrade.$$$Complete fix for max-global-quota to 200.$$$Fix #1183: the data being used is released in method nsec3_hash_test_entry.$$$Fix for #1183: release nsec3 hashes per test file.$$$Merge #1169 from Sergey Kacheev; fix: lock-free counters for auth_zone up/down queries.$$$Fix comparison to help static analyzer.$$$For #1175; update serve-expired tests.$$$Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255.$$$Merge #1197: dname_str() fixes.$$$Merge #1198: Fix log-servfail with serve expired and no useful cache contents.$$$Safeguard alias loop while looking in the cache for expired answers.$$$Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop.$$$Fix typo in log_servfail.tdir test.$$$Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion.$$$Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic.$$$Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.$$$Fix #1213: Misleading error message on default access control causing refuse.$$$Merge #1221: Consider auth zones when checking for forwarders.$$$Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN.$$$Create the quic SSL listening context only when needed.$$$Fix compile of interface check code when dnscrypt or quic is disabled.$$$Fix encoding of RR type ATMA.$$$Fix to check length in ATMA string to wire.$$$Merge #1229: check before use daemon->shm_info.$$$Use the same interface listening port discovery code for all
UNBOUND x86 Version 1.23.0.0
Release Date
4/24/2025
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Features$$$Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds.$$$Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767.$$$For #1175; the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767.$$$For #1207: [FR] Support for RESINFO RRType 261 (RFC9606); add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.$$$Add resolver.arpa and service.arpa to the default locally served zones.$$$Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread; then only briefly pauses the service threads; that keep running. DNS service is only interrupted briefly; less than a second.$$$Merge #1019: Redis read-only replica support. Introduces new redis-replica-* options for the Redis cache backend.$$$Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option dns-error-reporting and new statistics for num.dns_error_reports.$$$Bug Fixes$$$Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0.$$$Fix #1163: Typos in unbound.conf documentation.$$$Merge #1159: Stats for discard-timeout and wait-limit.$$$Add test case for #1159.$$$Some clean up for stat_values.test.$$$Merge #1170 from Melroy van den Berg; Fix chroot manpage description.$$$Merge #1157 from Liang Zhu; Fix heap corruption when calling ub_ctx_delete in Windows.$$$Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features.$$$Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule.$$$Fix SETEX check during Redis (re)initialization.$$$Fix for the serve expired DNSSEC information fix; it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated; but as a consequence no longer has certain expired information around for later dnssec valid expired responses.$$$Fix to log redis timeout error string on failure.$$$More descriptive text for harden-algo-downgrade.$$$Complete fix for max-global-quota to 200.$$$Fix #1183: the data being used is released in method nsec3_hash_test_entry.$$$Fix for #1183: release nsec3 hashes per test file.$$$Merge #1169 from Sergey Kacheev; fix: lock-free counters for auth_zone up/down queries.$$$Fix comparison to help static analyzer.$$$For #1175; update serve-expired tests.$$$Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255.$$$Merge #1197: dname_str() fixes.$$$Merge #1198: Fix log-servfail with serve expired and no useful cache contents.$$$Safeguard alias loop while looking in the cache for expired answers.$$$Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop.$$$Fix typo in log_servfail.tdir test.$$$Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion.$$$Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic.$$$Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.$$$Fix #1213: Misleading error message on default access control causing refuse.$$$Merge #1221: Consider auth zones when checking for forwarders.$$$Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN.$$$Create the quic SSL listening context only when needed.$$$Fix compile of interface check code when dnscrypt or quic is disabled.$$$Fix encoding of RR type ATMA.$$$Fix to check length in ATMA string to wire.$$$Merge #1229: check before use daemon->shm_info.$$$Use the same interface listening port discovery code for all
UNBOUND x86 Version 1.22.0.0
Release Date
10/17/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Date:$$$17 October; 2024$$$Linux and *BSD sources and binaries can easily be obtained using your (favorite) package manager or ports collection.$$$$$$Windows version for 64bit compiled from the source$$$$$$Installer:$$$unbound_setup_1.22.0 | pgp sig | 32bit-version | 32bit pgp sig$$$Binaries (no install):$$$unbound-1.22.0.zip | pgp sig | 32bit-version | 32bit pgp sig$$$Doc:$$$README; manual(pdf)$$$Features$$$Add iter-scrub-ns; iter-scrub-cname and max-global-quota configuration options.$$$Merge patch to fix for glue that is outside of zone; with `harden-unverified-glue`; from Karthik Umashankar (Microsoft). Enabling this option protects the Unbound resolver against bad glue; that is unverified out of zone glue; by resolving them. It uses the records as last resort if there is no other working glue.$$$Add redis-command-timeout: 20 and redis-connect-timeout: 200; that can set the timeout separately for commands and the connection set up to the redis server. If they are not specified; the redis-timeout value is used.$$$Fix #1144: [FR] log timestamps in ISO8601 format with timezone. This adds the option `log-time-iso: yes` that logs in ISO8601 format.$$$Merge #871: DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m` that enable dnsoverquic; and the counters `num.query.quic` and `mem.quic` in the statistics output. The feature needs to be enabled by compiling with libngtcp2; with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic; pass that with `--with-ssl=path` to compile unbound as well.$$$Bug Fixes$$$Fix #1126: unbound-control-setup hangs while testing for openssl presence starting from version 1.21.0.$$$Add cross platform freebsd; openbsd and netbsd to github ci.$$$Fix for char signedness warnings on NetBSD.$$$Fix #1127: error: memory exhausted when defining more than 9994 local-zones.$$$Fix documentation for cache_fill_missing function.$$$Fix #1130: Loads of logs: validation failure: key for validation <domain>. is marked as invalid because of a previous for non-DNSSEC signed zone.$$$Fix that when rpz is applied the message does not get picked up by the validator. That stops validation failures for the message.$$$Fix that stub-zone and forward-zone clauses do not exhaust memory for long content.$$$Unit test for auth zone transfer TLS; and TLS failure.$$$Fix to print port number in logs for auth zone transfer activities.$$$Merge #1132: b.root renumbering.$$$Fix for #1132; adjusted unit test for change in the test file.$$$Fix for #1132; comment about adjusted copy of reference check.$$$Merge #1135: Add new IANA trust anchor.$$$Fix config file read for dnstap-sample-rate.$$$Fix alloc-size and calloc-transposed-args compiler warnings.$$$Fix comment to not trigger doxygen unknown command.$$$Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077).$$$Add unit test for ttl limit for aggressive nsec.$$$Fix and add comments in testdata/val_negcache_ttl.rpl.$$$Merge #1140: Fix spelling mistake in comments.$$$Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING; CLANG_ADD_INC_PATHS; CLANG_OPTIONS and CLANG_DATABASE_PATH; they were already disabled.$$$Fix dns64 with prefetch that the prefetch is stored in cache.$$$Attempt to further fix doh_downstream_buffer_size.tdir flakiness.$$$More clear text for prefetch and minimal-responses in the unbound.conf man page.$$$Merge #1143: Fix cache update when serve expired is used. Expired records are favored over resolution and validation failures when serve-expired is used.$$$Fix negative cache NSEC3 parameter compares for zero length NSEC3 salt.$$$Fix unbound dnstap socket test program analyzer warnings about unused variable assignments and variable initialization.$$$Fix #1149: unbound-control-setup hangs sometimes depending on the openssl version.$$$Fix #1128: Cannot override tcp-upstream and tls-upstream with forward-tcp-upstream and forward-tls-upstream.$$$Fix to limit NSEC TTL for messages from cachedb. Fix to limit the prefetch ttl for messages after a CNAME with short TTL.
UNBOUND x86 Version 1.21.1.0
Release Date
10/3/2024
Bug Fix?
Yes
Minor Release?
No
Patch Notes

3 October; 2024$$$Linux and *BSD sources and binaries can easily be obtained using your (favorite) package manager or ports collection.$$$$$$Bug Fixes$$$Fix CVE-2024-8508; unbounded name compression could lead to denial of service.
UNBOUND x86 Version 1.21.0.0
Release Date
8/15/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Unbound 1.21.0 (Current version)$$$Source:$$$unbound-1.21.0.tar.gz | sha1 | sha256 | pgp sig$$$15 August; 2024$$$Linux and *BSD sources and binaries can easily be obtained using your (favorite) package manager or ports collection.$$$Windows version for 64bit compiled from the source$$$Features$$$Fix #1071: [FR] Clear both in-memory and cachedb module cache with `unbound-control flush*` commands.$$$Fix #144: Port ipset to BSD pf tables.$$$Add dnstap-sample-rate that logs only 1/N messages; for high volume server environments. Thanks Dan Luther.$$$Add root key 38696 from 2024 for DNSSEC validation. It is added to the default root keys in unbound-anchor. The content can be inspected with `unbound-anchor -l`.$$$Merge #1090: Cookie secret file. Adds `cookie-secret-file: unbound_cookiesecrets.txt` option to store cookie secrets for EDNS COOKIE secret rollover. The remote control add_cookie_secret; activate_cookie_secret and drop_cookie_secret commands can be used for rollover; the command print_cookie_secrets shows the values in use.$$$Bug Fixes$$$Fix CAMP issues with global quota. Thanks to Huayi Duan; Marco Bearzi; Jodok Vieli; and Cagin Tanir from NetSec group; ETH Zurich.$$$Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek; Anat Bremler-Barr; Shoham Danino and Yuval Shavitt (Tel-Aviv University and Reichman University).$$$Merge #1062: Fix potential overflow bug while parsing port in function cfg_mark_ports.$$$Fix for #1062: declaration before statement; avoid print of null; and redundant check for array size.$$$Fix to squelch udp connect errors in the log at low verbosity about invalid argument for IPv6 link local addresses.$$$Fix when the mesh jostle is exceeded that nameserver targets are marked as resolved; so that the lookup is not stuck on the requestlist.$$$Add missing common functions to tdir tests.$$$Merge #1070: Fix rtt assignement for low values of infra-cache-max-rtt.$$$Merge #1069: Fix unbound-control stdin commands for multi-process Unbounds.$$$Fix unbound-control commands that read stdin in multi-process operation (local_zones_remove; local_zones; local_datas_remove; local_datas; view_local_datas_remove; view_local_datas). They will be properly distributed to all processes. dump_cache and load_cache are no longer supported in multi-process operation.$$$Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir now checks both single and multi process/thread operation.$$$Merge #1073: fix null pointer dereference issue in function ub_ctx_set_fwd.$$$Fix to print a parse error when config is read with no name for a forward-zone; stub-zone or view.$$$Fix for parse end of forward-zone; stub-zone and view.$$$Fix for #1064: Fix that cachedb expired messages are considered insecure; and thus can be served to clients when dnssec is enabled.$$$Fix #1059: Intermittent DNS blocking failure with local-zone and always_nxdomain. Addition of local_zones dynamically via unbound-control was not finding the zones parent correctly.$$$Fix #1064: Unbound 1.20 Cachedb broken?$$$Fix unused variable warning on compilation with no thread support.$$$unbound-control-setup: check openssl availability before doing anything; patch from Michael Tokarev.$$$Update patch to remove command shell builtin and update error text.$$$Fix to enable that SERVFAIL is cached; for a short period; for more cases. In the cases where limits are exceeded.$$$Fix spelling of tcp-idle-timeout docs; from Michael Tokarev.$$$Merge #1078: Only check old pid if no username.$$$Fix #1079: tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0.$$$Fix for #1079: fix RPZ taglist in iterator callback that no client info is like no taglist intersection.$$$Fix to squelch connection reset by peer errors from log. And fix that the tcp read errors are labeled as initial for the first calls.$$$Merge #1080: AddressSanitizer detection in tdir tests and memory leak fixes.$$$Fix memory leak when reload_keep_cache is used and num-threads changes.$$$Fix memory
UNBOUND x86 Version 1.20.0.0
Release Date
5/8/2024
Bug Fix?
Yes
Minor Release?
No
Patch Notes

Unbound 1.20.0 (Current version)$$$$$$Date:$$$8 May; 2024$$$$$$Features$$$The config for discard-timeout; wait-limit; wait-limit-cookie; wait-limit-netblock and wait-limit-cookie-netblock was added; for the fix to the DNSBomb issue.$$$Merge #1027: Introduce cache-min-negative-ttl option.$$$Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01); verified with upstream.$$$Implement cachedb-check-when-serve-expired: yes option; default is enabled. When serve expired is enabled with cachedb; it first checks cachedb before serving the expired response.$$$Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid?$$$Bug Fixes$$$Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it.$$$Update doc/unbound.doxygen with doxygen -u. Fixes option deprecation warnings and updates with newer defaults.$$$Remove unused portion from iter_dname_ttl unit test.$$$Fix validator classification of qtype DNAME for positive and redirection answers; and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME.$$$Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it.$$$Fix doc test so it ignores but outputs unsupported doxygen options.$$$Fix #1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload.$$$Merge #1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout.$$$Fix #1029: rpz trigger clientip and action rpz-passthru not working as expected.$$$Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger.$$$Fix to unify codepath for local alias for rpz cname action override.$$$Fix rpz for cname override action after nsdname and nsip triggers.$$$Fix that addrinfo is not kept around but copied and freed; so that log-destaddr uses a copy of the information; much like NSD does.$$$Merge #1030: Persist the openssl and expat directories for repeated Windows builds.$$$Fix that rpz CNAME content is limited to the max number of cnames.$$$Fix rpz; it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values; that is better for debug logging.$$$Fix rpz that copies the cname override completely to the temp region; so there are no references to the rpz region.$$$Add rpz unit test for nsip action override.$$$Fix rpz for qtype CNAME after nameserver trigger.$$$Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME.$$$Fix localdata and rpz localdata to match CNAME only if no direct type match is available.$$$Merge #831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi).$$$For #831: Format text; use exclamation icon and explicit label names.$$$Fix name of unit test for subnet cache response.$$$Fix #1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations.$$$Fix for #1032; add safeguard to make table space positive.$$$Fix comment in lruhash space function.$$$Fix to add unit test for lruhash space that exercises the routines.$$$Fix that when the server truncates the pidfile; it does not follow symbolic links.$$$Fix that the server does not chown the pidfile.$$$Fix #1034: DoT forward-zone via unbound-control.$$$Fix for crypto related failures to have a better error string.$$$Fix #1035: Potential Bug while parsing port from the stub-host string; also affected forward-zones and remote-control host directives.$$$Fix #369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching.$$$Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c.$$$For #1040: adjust error
UNBOUND x86 Version 1.19.3.0
Release Date
3/14/2024
Bug Fix?
Yes
Minor Release?
No
Patch Notes

Unbound 1.19.3 (Current version)$$$Source:$$$unbound-1.19.3.tar.gz | sha1 | sha256 | pgp sig$$$Doc:$$$man-page$$$Date:$$$14 March; 2024$$$Linux and *BSD sources and binaries can easily be obtained using your (favorite) package manager or ports collection.$$$$$$Windows version for 64bit compiled from the source$$$$$$Installer:$$$unbound_setup_1.19.3 | pgp sig | 32bit-version | 32bit pgp sig$$$Binaries (no install):$$$unbound-1.19.3.zip | pgp sig | 32bit-version | 32bit pgp sig$$$Doc:$$$README; manual(pdf)$$$Features$$$Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672.$$$Bug Fixes$$$Fix unit test parse of origin syntax.$$$Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems.$$$Fix #964: config.h.in~ backup file in release tar balls.$$$Merge #968: Replace the obsolescent fgrep with grep -F in tests.$$$Merge #971: fix WARNING: Message has 41 extra bytes at end.$$$Fix #969: [FR] distinguish Do53; DoT and DoH in the logs.$$$Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic.$$$Fix to sync the tests script file common.sh.$$$iana portlist update.$$$Updated IPv4 and IPv6 address for b.root-servers.net in root hints.$$$Update test script file common.sh.$$$Fix tests to use new common.sh functions; wait_logfile and kill_from_pidfile.$$$Fix #974: doc: default number of outgoing ports without libevent.$$$Merge #975: Fixed some syntax errors in rpl files.$$$Fix root_zonemd unit test; it checks that the root ZONEMD verifies; now that the root has a valid ZONEMD.$$$Update example.conf with cookie options.$$$Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients.$$$Merge #985: Add DoH and DoT to dnstap message.$$$Fix #983: Sha1 runtime insecure change was incomplete.$$$Remove unneeded newlines and improve indentation in remote control code.$$$Merge #987: skip edns frag retry if advertised udp payload size is not smaller.$$$Fix unit test for #987 change in udp1xxx retry packet send.$$$Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.$$$Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.$$$Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit.$$$Merge #993: Update b.root-servers.net also in example config file.$$$Update workflow for ports to use newer openssl on windows compile.$$$Fix warning for windres on resource files due to redefinition.$$$Fix for #997: Print details for SSL certificate failure.$$$Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920).$$$Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound).$$$Merge #999: Search for protobuf-c with pkg-config.$$$Fix #1006: Cant find protobuf-c package since #999.$$$Fix documentation for access-control in the unbound.conf man page.$$$Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl.$$$Document the suspend argument for process_ds_response().$$$Move github workflows to use checkoutv4.$$$Fix edns subnet replies for scope zero answers to not get stored in the global cache; and in cachedb; when the upstream replies without an EDNS record.$$$Fix for #1022: Fix ede prohibited in access control refused answers.$$$Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions.$$$Fix TTL of synthesized CNAME when a DNAME is used from cache.$$$Fix unbound-control-setup.cmd to have CA v3 basicConstraints; like unbound-control-setup.sh has.
UNBOUND x86 Version 1.19.0.0
Release Date
11/8/2023
Bug Fix?
Yes
Minor Release?
No
Patch Notes

Unbound 1.19.0 (Current version)$$$$$$Date:$$$8 November; 2023$$$Linux and *BSD sources and binaries can easily be obtained using your (favorite) package manager or ports collection.$$$$$$Windows version for 64bit compiled from the source$$$$$$Installer:$$$unbound_setup_1.19.0 | pgp sig | 32bit-version | 32bit pgp sig$$$Binaries (no install):$$$unbound-1.19.0.zip | pgp sig | 32bit-version | 32bit pgp sig$$$Doc:$$$README; manual(pdf)$$$Features$$$Fix #850: [FR] Ability to use specific database in Redis; with new redis-logical-db configuration option.$$$Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise; because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself; and also not for downstream users. Default is no. The option is disable-edns-do: no$$$Expose the script filename in the Python module environment mod_env instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes #79.$$$Expose the configured listening and outgoing interfaces; if any; as a list of strings in the Python config_file class instead of the current Swig object proxy; fixes #79.$$$Mailing list patches from Daniel Gröber for DNS64 fallback to plain AAAA when no A record exists for synthesis; and minor DNS64 code refactoring for better readability.$$$Merge #951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no.$$$Bug Fixes$$$Fix for version generation race condition that ignored changes.$$$Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL.$$$Fix for WKS call to getservbyname that creates allocation on exit in unit test by testing numbers first and testing from the services list later.$$$Fix autoconf 2.69 warnings in configure.$$$Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.$$$Merge #931: Prevent warnings from -Wmissing-prototypes.$$$Fix to scrub resource records of type A and AAAA that have an inappropriate size. They are removed from responses.$$$Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.$$$Fix to add EDE text when RRs have been removed due to length.$$$Fix to set ede match in unit test for rr length removal.$$$Fix to print EDE text in readable form in output logs.$$$Fix send of udp retries when ENOBUFS is returned. It stops looping and also waits for the condition to go away. Reported by Florian Obser.$$$Fix authority zone answers for obscured DNAMEs and delegations.$$$Merge #936: Check for c99 with autoconf versions prior to 2.70.$$$Fix to remove two c99 notations.$$$Fix rpz tcp-only action with rpz triggers nsdname and nsip.$$$Fix misplaced comment.$$$Merge #881: Generalise the proxy protocol code.$$$Fix #946: Forwarder returns servfail on upstream response noerror no data.$$$Fix edns subnet so that queries with a source prefix of zero cause the recursor send no edns subnet option to the upstream.$$$Fix that printout of EDNS options shows the EDNS cookie option by name.$$$Fix infinite loop when reading multiple lines of input on a broken remote control socket. Addesses #947 and #948.$$$Fix #949: could not create control compt.$$$Fix that cachedb does not warn when serve-expired is disabled about use of serve-expired-reply-ttl and serve-expired-client-timeout.$$$Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.$$$Better fix for infinite loop when reading multiple lines of input on a broken remote control socket; by treating a zero byte line the same as transmission end. Addesses #947 and #948.$$$For multi Python module setups; clean previously parsed module functions in __main__s dictionary; if any; so that only current module functions are registered.$$$Fix #954: Inconsistent RPZ handling for A record returned along with CNAME.$$$Fixes
UNBOUND x86 Version 1.18.0.0
Release Date
8/30/2023
Bug Fix?
Yes
Minor Release?
No
Patch Notes

Features$$$Merge #826: ?dd a metric about the maximum number of collisions in lrushah.$$$Set max-udp-size default to 1232. This is the same default value as the default value for edns-buffer-size. It restricts client edns buffer size choices; and makes unbound behave similar to other DNS resolvers. The new choice; down from 4096 means it is harder to get large responses from Unbound. Thanks to Xiang Li; from NISL Lab; Tsinghua University.$$$Add harden-unknown-additional option. It removes unknown records from the authority section and additional section. Thanks to Xiang Li; from NISL Lab; Tsinghua University.$$$Merge #819: Added new static zone type block_a to suppress all A queries for specific zones.$$$Fix #835: [FR] Ability to use Redis unix sockets.$$$Fix #833: [FR] Ability to set the Redis password.$$$Merge #882 from vvfedorenko: Features/dropqueuedpackets; with sock-queue-timeout option that drops packets that have been in the socket queue for too long. Added statistics num.queries_timed_out and query.queue_time_us.max that track the socket queue timeouts.$$$Merge #722 from David eqvinox Lamparter: NAT64 support.$$$Fix #888: [FR] Use kernel timestamps for dnstap.$$$Merge #903: contrib: add yocto compatible init script.$$$Merge #892: Add cachedb hit stat. Introduces num.query.cachedb as a new statistical counter.$$$Merge #739: Add SVCB dohpath support.$$$Merge #802: add validation EDEs to queries where the CD bit is set.$$$Merge #664 from tilan7763: Add prefetch support for subnet cache entries.$$$Merge #759 from Tom Carpay: Add EDE (RFC8914) caching.$$$Merge #790 from Tom Carpay: Add support for EDE caching in cachedb and subnetcache.$$$Merge PR #762: Downstream DNS Server Cookies a la RFC7873 and RFC9018. Create server cookies for clients that send client cookies. This needs to be explicitly turned on in the config file with: `answer-cookie: yes`. A `cookie-secret:` can be configured for anycast setups. Without one; a random cookie secret is generated. The acl option `allow_cookie` allows queries with either a valid cookie or over a stateful transport. The statistics output has `queries_cookie_valid` and `queries_cookie_client` and `queries_cookie_invalid` information. The `ip\-ratelimit\-cookie:` value determines a rate limit for queries with cookies; if desired.
Interested in automating patching for UNBOUND x86?