Debian 11: unbound Critical Security Fix for Denial of Service DLA-4280-1

CVE-2024-33655

The DNSBomb attack, via specially timed DNS queries and answers, can
cause a Denial of Service on resolvers and spoofed targets.

While Unbound itself is not vulnerable for DoS, it can be used to
take part in a pulsing DoS amplification attack.

Configuration options have been added to help mitigate the impact by
trying to shrink the DNSBomb window so that the impact of the DoS
from Unbound is significantly lower than it used to be:

* discard-timeout: 1900
After 1900 ms a reply to the client will be dropped. Unbound
would still work on the query but refrain from replying in order
to not accumulate a huge number of "old" replies. Legitimate
clients retry on timeouts.

* wait-limit: 1000
Limits the amount of client queries that require recursion
(cache-hits are not counted) per IP address. More recursive
queries than the allowed limit are dropped.
wait-limit: 0 disables all wait limits.