Unbound 1.13.2 released

We are pleased to announce the release of version 1.13.2 of the Unbound recursive DNS resolver.

The release contains a bugfix to fix the make install of the python module after build changes introduced in this release rc1.

This release contains a number of bug fixes. There is a crash fix for broken internal structures in stream reuse, that is used when many TCP or TLS upstream connections are made. Also a number of features are added.

The ZONEMD support allows verification of downloaded authority zone files with the zonemd hash. It can be enabled with the zonemd-check option. It implements RFC8976. With zonemd-permissive-mode it is possible to try out the functionality without withholding the zone if the checks fail. With zonemd-reject-absence the zonemd record becomes a requirement for a zone.

It is possible to use interface names for the control-interface as well, it was already possible for the interface, but now also for the remote control functionality. It allows the user to config the interface with the interface name, like 'eth0', instead of an IP address.

It is possible to configure the persistent TCP connection, with the options max-reuse-tcp-queries and tcp-reuse-timeout. These also apply to TLS reused connections.

The local zone types always_null, always_nodata and always_deny work inside the local zones that are defined inside a view.

The log servfail error message now includes more information, it attempts to add an IP address and information about the one of the last failures that is associated with that query.

With the option tcp-auth-query-timeout, the time to wait for queries to upstream authority servers can be configured, for TCP and TLS queries.

It is possible to configure unbound with --with-deprecate-rsa-1024, that stops the use of RSA 1024 keys. That makes unbound work with certain FIPS installations that do not allow such calls to the crypto API. If the option is enabled, Unbound treats RSA keys with an insufficiently sized key as not supported. Responses with unsupported crypto are marked insecure.

The NSEC3 maximum iterations are lowered to 150. This is the new default setting. This puts this in line with other DNS implementations. If the iterations count is exceeded the response becomes insecure.

The number of validator retries when there is a DNSSEC failure can be configured with the val-max-restart option.

The RR types SVCB and HTTPS are supported according to the draft specification. The syntax can be used in local zones and zone files, and debug output. The types themselves were already supported on the wire the RFC3597 unknown RR type support.

The HTTP user agent header can be configured or elided, to avoid printing the version of type of the software running on the server, with the options http-user-agent and hide-http-user-agent.

For a full list of changes and binary and source packages, see the download page.