A vulnerability has been discovered in Unbound when handling
replies with very large RRsets that Unbound needs to perform name
compression for.
Malicious upstreams responses with very large RRsets can cause
Unbound to spend a considerable time applying name compression to
downstream replies. This can lead to degraded performance and
eventually denial of service in well orchestrated attacks.
Unbound version 1.21.1 introduces a hard limit on the number of
name compression calculations it is willing to do per packet.
Packets that need more compression will result in semi-compressed
packets or truncated packets, even on TCP for huge messages, to
avoid locking the CPU for long.
This change should not affect normal DNS traffic.