- Fixes CVE-2025-11411
Features from 1.24:
- Increase default to `num-queries-per-thread: 2048`
- num.valops in extended statistics
- unbound-control cache_lookup <domains> support
- zone status for auth-zones
Features from 1.23:
- Increase the default of max-global-quota to 200 from 128
- The default value of serve-expired-client-timeout is set to 1800
- Support for RESINFO RRType 261 (RFC9606).
- Add resolver.arpa and service.arpa to the default locally served zones.
- Fast Reload. The unbound-control fast_reload is added.
- DNS Error Reporting (RFC 9567).
Features from 1.22:
- Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration options.
- Merge patch to fix for glue that is outside of zone, with `harden-unverified-glue`
- log timestamps in ISO8601 format with timezone
- DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`.
Requires ngtcp2, not yet in RHEL.
Features from 1.21:
- Clear both in-memory and cachedb module cache with `unbound-control flush*` commands.
- Add dnstap-sample-rate that logs only 1/N messages.
- Add root key 38696 from 2024 for DNSSEC validation.
- Cookie secret file. Adds `cookie-secret-file option.
And a lot of bug fixes.
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2
Resolves: RHEL-132717
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0
- Fix#596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply.
The option rpz-signal-nxdomain-ra allows to signal that a domain is externally
blocked to clients when it is blocked with NXDOMAIN by unsetting RA.
- Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered
for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone.
- Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and
ip-ratelimit-backoff configuration options.
- Change aggressive-nsec default to yes.
(cherry picked from commit 84e89add4a)
Resolves: rhbz#2087120