If edns subnet is enabled, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet is in use, also module-config: "subnetcache validator iterator" should be set as configuration in the server: section.

The RC2 has fixes for building on Solaris and portability to Windows, and fixes a memory leak for DoH.

Features

• Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds.
• Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767.
• For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767.
• For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
• Add resolver.arpa and service.arpa to the default locally served zones.
• Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second.
• Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend.
• Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'.

Bug Fixes

• Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0.
• Fix #1163: Typos in unbound.conf documentation.
• Merge #1159: Stats for discard-timeout and wait-limit.
• Add test case for #1159.
• Some clean up for stat_values.test.
• Merge #1170 from Melroy van den Berg, Fix chroot manpage description.
• Merge #1157 from Liang Zhu, Fix heap corruption when calling ub_ctx_delete in Windows.
• Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features.
• Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule.
• Fix SETEX check during Redis (re)initialization.
• Fix for the serve expired DNSSEC information fix, it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated, but as a consequence no longer has certain expired information around for later dnssec valid expired responses.
• Fix to log redis timeout error string on failure.
• More descriptive text for 'harden-algo-downgrade'.
• Complete fix for max-global-quota to 200.
• Fix #1183: the data being used is released in method nsec3_hash_test_entry.
• Fix for #1183: release nsec3 hashes per test file.
• Merge #1169 from Sergey Kacheev, fix: lock-free counters for auth_zone up/down queries.
• Fix comparison to help static analyzer.
• For #1175, update serve-expired tests.
• Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255.
• Merge #1197: dname_str() fixes.
• Merge #1198: Fix log-servfail with serve expired and no useful cache contents.
• Safeguard alias loop while looking in the cache for expired answers.
• Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop.
• Fix typo in log_servfail.tdir test.
• Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion.
• Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic.
• Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake.
• Fix #1213: Misleading error message on default access control causing refuse.
• Merge #1221: Consider auth zones when checking for forwarders.
• Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN.
• Create the quic SSL listening context only when needed.
• Fix compile of interface check code when dnscrypt or quic is disabled.
• Fix encoding of RR type ATMA.
• Fix to check length in ATMA string to wire.
• Merge #1229: check before use daemon->shm_info.
• Use the same interface listening port discovery code for all needed protocols.
• Port to string only when needed before getaddrinfo().
• Do not open unencrypted channels next to encrypted ones on the same port.
• Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set.
• Merge #1220 from Petr Menšík, Add unbound members group access to control key.
• Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past.
• Fix #986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct.
• Consider reconfigurations when calculating the still_useful_timeout for servers in the infrastructure cache.
• Fix static analysis report about unhandled EOF on error conditions when reading anchor key files.
• Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt values.
• Fix hash calculation for cachedb to ignore case. Previously, cached records there were only relevant for same case queries (if not already in Unbound's internal cache).
• Merge #1243: Do not shadow tm on line 236.
• Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time. Add --help output description for the SOURCE_DATE_EPOCH variable.
• Fix 'unbound-control flush_negative' when reporting removed data; reported by David 'eqvinox' Lamparter.
• Fix representation of types GPOS and RESINFO, add rdf type for unquoted str.
• Fix #1251: WSAPoll first argument cannot be NULL.
• Fix for windows compile create ssl contexts.
• Fix print of RR type NSAP-PTR, it is an unquoted string.
• Fix #1253: Cache entries fail to be removed from Redis cachedb backend with unbound-control flush* +c.
• Fix for #1253: Fix for redis cachedb backend to expect an integer reply for the EXPIRE command.
• Fix #1254: send failed: Socket is not connected and remote address is 0.0.0.0 port 53.
• Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
• For #1255, for ios use an older expat version that does not require C++11 language features.
• For #1255, for ios disable building tests that require C++11.
• For #1255, for ios try the latest expat version again.
• Fix unit test dname log printout typecast.
• Fix for ci test, expat is installed on the osx image.
• iana portlist update.
• Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
• Fix escape more characters when printing an RR type with an unquoted string.
• Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
• Fix unbound-control test so it counts the new flush_negative output, also answers the _ta probe from testns and prints command output and skip a thread specific test when no threads are available.
• Fix that ub_event has the facility to deal with callbacks for fast reload, doq, windows-stop and dnstap.
• Fix fast reload test to check if pid exists before acting on it.
• Merge #1262 from markyang92, fix build with 'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
• For #1262, ifdef is no longer needed.
• Fix #1263: Exempt loopback addresses from wait-limit.
• Fix wait-limit-netblock and wait-limit-cookie-netblock config parse to allow two arguments.
• Fix ub_event and include dnstap and win_svc headers.
• Fix test for stat_values for wait limit defaults for localhost.
• Fix parameter unused warning in net_help.c.
• Fix mesh_copy_client_info to omit null contents from copy.
• Fix comment name in the rpz nsdname test.
• Fix nettle compile for warnings and ticket keys.
• Fix redis_replica test for unused option defaults and log printout.
• Fix test to speed up common.sh script kill_pid.
• Fix to update common.sh for speed of kill_pid.
• Update to the manpage for the fast_reload part.
• Fix fast_reload to print chroot with config file name.
• Fix to detect if atomic_store links in configure.
• Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
• Fix for print of connection type in log-replies for dot and doh.
• Merge #1265: Fix WSAPoll.