A flaw was found in Unbound which can lead to degraded performance and an eventual denial of service when handling replies with very large RRsets that require name compression to be applied. Versions prior to 1.21.1 do not have a hard limit on the number of name compression calculations that Unbound can perform per packet, meaning that if a specially crafted query is passed for the contents of a malicious zone with very large RRsets, Unbound may spend a considerable amount of time applying name compression to downstream replies, locking the CPU until the whole packet has been processed.