Unbound 1.11.0 released

We are pleased to announce the release of version 1.11.0 of the Unbound recursive DNS resolver.

This release contains a number of bug fixes. Also new features are introduced. The configure --with-dynlibmodule enables dynamic library support that can have code modules function like the python library scripts. It allows to load multiple dynlib instances. The new include-toplevel: <file or wildcard> configuration option allows to include a directory with config files where every config file does not modify the config section for the later files so that the include order is idempotent. This makes it much easier to drop files into a config snippet directory in etc and manage that set of config files, without for example one config file starting a stub section and creating parse errors in another config file with server options.

The rrset-roundrobin option is now default to yes. This is more in line with what users expect. The KSK-2010 has been removed from our default key set output. The option prefer-ip4 can be used to prefer ip4 over ip6 when reputation for the ip6 netblock is shared with other users.

There is also a dnstap implementation inside Unbound. This removes the dependency on the libfstrm library. The protobuf library is still used. The fstrm protocol code resides in dnstap/dnstap_fstrm.h and dnstap/dnstap_fstrm.c. This contains a brief definition of what unbound needs.

The make unbound-dnstap-socket builds a debug tool, unbound-dnstap-socket. It can listen, accept multiple DNSTAP streams and print information. Commandline options control it.

Unbound can reconnect if the unix domain socket file socket is closed. This uses exponential backoff after which it uses a one second timer to throttle cpu down. There is also support to use TCP and TLS for connecting to the log server. There are new config options to turn them on, in the dnstap section in the man page and example config file. dnstap-ip with IP address of server for TCP or TLS use. dnstap-tls to turn on TLS. And dnstap-tls-server-name, dnstap-tls-cert-bundle, dnstap-tls-client-key-file and dnstap-tls-client-cert-file to configure the certificates for server authentication and client authentication, or leave at "" to not use that. With dnstap-bidirectional the frame streams can be set to bidirectional or unidirectional connection mode.

For a full list of changes and binary and source packages, see the download page.