Unbound 1.9.1 released

Published: Mon 11 March 2019

We are pleased to announce the release of version 1.9.1 of the Unbound recursive DNS resolver.

This release contains bug fixes for two issues in the out of order processing introduced in 1.9.0, one where the wrong answer was returned and a crash bug in file descriptor handling.

There are fixes for compile on Windows with pythonmod support. You need to compile the source for that with the option enabled. Start with, eg. compile on windows itself (with gcc or clang), or crosscompile with mingw64-configure as the start of the compile run and enable the pythonmod configure option.

There is also a fix for qname minimisation, that could have skipped a label-fetch-step when it should not have. This was caused by certain recursion situations and the subsequent qname minimisation continuation. Qname minimisation in Unbound is designed to sometimes add several labels at a time, instead of just adding one label at a time and performing lookups until the full qname is reached, because certain names are very long, especially in the IPv6 reverse space. Unbound performs short steps near the top, in root and TLDs, but then makes longer label add steps when the name is very long, near the left side of the qname. This is to keep the lookup latency short.

A new type of local-zone is added, inform_redirect, this acts like both type inform and type redirect are both used. The answer is logged and the content of the answer is like type redirect.

For 0x20 capsforid, a canonical sort is used to compare faulty replies. This removes some cases where the fallback could not figure out the reply is genuine in several retries.

To make ratelimiting easier, the ratelimit logs print the query name that triggered the ratelimit message. Not all query names are supposedly the same, but the query name of the query that made the ratelimit exceed is printed, and this gives (a single name of) insight into the nature of the traffic employed. Also the IP-address of the sender of the query that triggered the upstream ratelimit is printed. If a recursion exceeds ratelimit, it does not print the IP-address of the query ultimately responsible for the recursive lookup.

Unbound has ratelimiting for both the clients (the downstream side) and for traffic sent by unbound to the wider internet (the upstream side). The ip-ratelimit options limit traffic in packets per client IP. The ratelimit options limit traffic towards a domain name. The new logging prints extra information with the log messages for both of them, so that an inkling of information on some of that traffic is visible straight away.

For a full list of changes and binary and source packages, see the download page.

Related links:

software update