Hi Richard, AFAIK there were no big changes in Unbound's NS selection algorithm for years.
In Aug 2013 researchers pointed out the flaw in _BIND9's_ nameserver selection algorithm that attackers could subvert randomization of NS selection [1]. ISC stated that it is not considered a security vulnerability but they also stated that the algorithm will be improved [2]. I don't know further status of BIND9's implementation. [1] https://www.usenix.org/conference/woot13/workshop-program/presentation/hay [2] https://kb.isc.org/article/AA-01030/169/Operational-Notification-A-Vulnerability-in-the-SRTT-Algorithm-affects-BIND-9-Authoritative-Server-Selection.html
