Hi Richard,<br>
<br>
AFAIK there were no big changes in Unbound's NS selection algorithm for years.<br>
<br>
In Aug 2013 researchers pointed out the flaw in _BIND9's_ nameserver<br>
selection algorithm that attackers could subvert randomization of NS selection [1].<br>
ISC stated that it is not considered a security vulnerability but they also stated that <div>the algorithm will be improved [2]. I don't know further status of BIND9's implementation.<div><div>
<br>
[1] <a href="https://www.usenix.org/conference/woot13/workshop-program/presentation/hay" target="_blank">https://www.usenix.org/conference/woot13/workshop-program/presentation/hay</a><br>
[2] <a href="https://kb.isc.org/article/AA-01030/169/Operational-Notification-A-Vulnerability-in-the-SRTT-Algorithm-affects-BIND-9-Authoritative-Server-Selection.html" target="_blank">https://kb.isc.org/article/AA-01030/169/Operational-Notification-A-Vulnerability-in-the-SRTT-Algorithm-affects-BIND-9-Authoritative-Server-Selection.html</a><br>
</div></div></div>