Tags

unbound Debian release 1.24.1-1

Upstream version 1.24.1

Unbound 1.24.1

This security release fixes CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt

We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
Duan from Tsinghua University for discovering and responsibly disclosing
the vulnerability.

Bug Fixes:
- Fix CVE-2025-11411 (possible domain hijacking attack), reported by
  Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua
  University.

unbound Debian release 1.24.0-2

unbound Debian release 1.24.0-1

Upstream version 1.24.0

Unbound 1.24.0

This release features increased defaults, num.valops statistic,
unbound-control cache_lookup, and bug fixes.

The default value increase for num-queries-per-thread is to make
saturation of the task queue more resource intensive and less
practical. Thanks to Shiming Liu, Network and Information Security
Lab, Tsinghua University for the report.

The default value increase for so-sndbuf is to mitigate a cross-layer
issue where the UDP socket send buffers are exhausted waiting for
ARP/NDP resolution. Thanks to Reflyable for the report.

To help the server start more easily, the setsockopt for sndbuf buffer
size prints a warning instead of a failure to start the server if it
can not set the buffer size.

Various cache -slabs options are auto-configured if not specified
in the config file. It uses a power of two close to the number of
threads. When the option is specified in the config file that value
is used instead.

An extra statistic is added to track the number of signature validation
operations by the validator, `num.valops`.

The unbound-control `cache_lookup` command prints cache information for
names in the domain given. This prints similar to dump_cache, but only
names under the zone(s) specified. Because of that it locks the caches
for a much shorter time, and this is good for server responsiveness.

The `sock-queue-timeout` option is adapted to work on FreeBSD as well
as Linux.

Features
- Increase default to `num-queries-per-thread: 2048`, when unbound is
  compiled with libevent. It makes saturation of the task queue more
  resource intensive and less practical. Thanks to Shiming Liu,
  Network and Information Security Lab, Tsinghua University for the
  report.
- Merge #1276: Auto-configure '-slabs' values.
- Change default for so-sndbuf to 1m, to mitigate a cross-layer
  issue where the UDP socket send buffers are exhausted waiting
  for ARP/NDP resolution. Thanks to Reflyable for the report.
- Adjusted so-sndbuf default to 4m.
- Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
  track the number of signature validation operations.
  Adds 'num.valops' to extended statistics.
- Fix #1303: [FR] Disable TLSv1.2.
- unbound-control cache_lookup <domains> prints the cached rrsets
  and messages for those.
- unbound-control cache_lookup +t allows tld and root names. And
  subnet cache contents are printed.
- Fix #1319: [FR] zone status for Unbound auth-zones.

Bug Fixes
- Fix #1272: assertion failure testcode/unitverify.c:202.
- Merge #1275: Use macros for the fr_check_changed* functions.
- Fix for parallel build of dnstap protoc-c output.
- Fix dnstap to use protoc.
- Sync unbound and unbound-checkconf log output for unknown modules.
- Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
  in 1.23.0, but worked in 1.22.0.
- Fix #1283: Unsafe usage of atoi() while parsing the configuration
  file.
- Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
  broken auth zones that include unsigned out of zone (above apex)
  data. Could lead to hang while trying to prove a wildcard answer.
- Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
  by adding a log_assert() to safeguard future development.
- Fix #1282: log-destaddr fail on long ipv6 addresses.
- Fix config of slab values when there is no config file.
- Fix for cname chain length with qtype ANY and qname minimisation.
  Thanks to Jim Greenwood from Nominet for the report.
- Merge #1285:  RST man pages. It introduces restructuredText man pages
  to sync the online and source code man page documentation.
  The templated man pages (*.in) are still part of the repo but
  generated with docutils from their .rst counterpart.
  Documentation on how to generate those (mainly for core developers)
  is in README.man.
- Add more checks about respip in unbound-checkconf.
  Also fixes #310: unbound-checkconf not reporting RPZ configuration
  error.
- Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
  program.
- Small manpage corrections for the 'disable-dnssec-lame-check' option.
- Fix unbound-anchor certificate file read for line ends and end of
  file.
- Fix comment for the dname_remove_label_limit_len function.
- iana portlist updated.
- Fix bitwise operators in conditional expressions with parentheses.
- Fix conditional expressions with parentheses for bitwise and.
- Fix header return value description for skip_pkt_rrs and
  parse_edns_from_query_pkt.
- Fix to check control-interface addresses in unbound-checkconf.
- Fix #1295: Windows 32-bit binaries download seems to be missing dll
  dependency.
- Fix for consistent use of local zone CNAME alias for configured auth
  zones. Now it also applies to downstream configured auth zones.
- Fix #1296: DNS over QUIC depends on a very outdated version of
  ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
- Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
- Fix rrset cache create allocation failure case.
- Fix #1293: EDE 6 is attached to insecure cached answers when client
  sends the CD bit.
- Fix #1247: forward-first: ssl handshake failed on root nameservers.
- For #1247, turn off fetch-policy for delegation when looking into
  parent side name servers that may not update the addresses and hit
  NXNS limits.
- For #1247, replay test (added tcp_transport to
  outnet_serviced_query).
- Merge #1299: Fix typos.
- Generate ltmain.sh and configure again.
- Fix #1300: Is 'sock-queue-timeout' a linux only feature.
- For #1300: implement sock-queue-timeout for FreeBSD as well.
- Fix layout of comm_point_udp_ancil_callback.
- Fix to improve dnstap discovery on Fedora.
- Fix detection of SSL_CTX_set_tmp_ecdh function.
- For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
- For #1289: test num.valops in existing stat_values.tdir.
- For #1289: add num.valops in the unbound-control man page.
- Add unit tests for non-ecs aggregation.
- Fix to not set rlimits in the unit tests.
- iana portlist updated.
- Redis checks for server down and throttles reconnects.
- Fix redis cachedb module gettimeofday init failure.
- Fix testbound test program to accurately output packets from hex.
- Fix #1309: incorrectly reclaimed tcp handler can cause data
  corruption and segfault.
- Fix to use assertions for consistency checks in #1309 reclaimed
  tcp handlers.
- Fix edns subnet, so that the subquery without subnet is stored in
  global cache if the querier used 0.0.0.0/0 and the name and address
  do not receive subnet treatment. If the name and address are
  configured for subnet, it is stored in the subnet cache.
- Fix dname_str for printout of long names. Thanks to Jan Komissar
  for the fix.
- Fix that edns-subnet failure to create a subquery errors as
  servfail, and not formerror.
- Fix to whitespace in dname_str.
- Fix that unbound-control dump_cache releases the cache locks
  every so often, so that the server stays responsive.
- Fix to remove debug from cache_lookup.
- Fix to unlock cache_lookup message for malformed records.
- Fix to increase responsiveness of dump_cache.
- Fix to decouple file descriptor activity and cache lookups in
  dump_cache.
- Fix cache_lookup subnet printout to wipe zero part of the prefix.
- Fix cache_lookup subnet print to not print messages without rrsets
  and perform in-depth check on node in the addrtree.
- Fix to check for extraneous command arguments for unbound-control,
  when the command takes no arguments but there are arguments present.
- Fix #1317: Unbound starts too early. Add
  Wants=network-online.target under [Unit] in unbound.service.
- Fix for #1317: Fix contrib/unbound.service comment path for
  systemd network configuration.
- For #1318: Fix compile warnings for DoH compile on windows.
- Fix sha1 enable environment variable in test code on windows.
- Fix that the zone acquired timestamp is set after the
  zonefile is read.
- Fix ports workflow to install expat for macos.
- Fix unbound-control dump_cache for double unlock of lruhash table.
- Fix setup_listen_sslctx warning for nettle compile.
- Limit the number of consecutive reads on an HTTP/2 session.
  Thanks to Gal Bar Nahum for exposing the possibility of infinite
  reads on the session.
- Fix for #1324: Fix to free edns options scratch in ratelimit case.
- Fix #1235: Outdated Python2 code in
  unbound/pythonmod/examples/log.py.
- Fix #1324: Memory leak in 'msgparse.c' in
  'parse_edns_options_from_query(...)'.
- Fix indentation in tcp-mss option parsing.
- For #1328: make depend.
- Update documentation for using "SET ... EX" in Redis.
- Document max buffer sizes for Redis commands.
- Update man pages.
- Fix #1332: CNAME chains are sometimes not followed when RPZs add a
  local CNAME rewrite.
- Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
- Small debug output improvement when attaching an EDE.
- Fix to print warning for when so-sndbuf setsockopt is not granted.
- Too many quotes for the EDE message debug printout.

Tag for Unbound 1.24.0rc1.

unbound Debian release 1.17.1-2+deb12u3

unbound1.9 Debian release 1.9.0-2+deb10u2~deb9u6

unbound Debian release 1.23.1-1

unbound Debian release 1.9.0-2+deb10u6

unbound Debian release 1.13.1-1+deb11u5

Upstream version 1.23.1

unbound Debian release 1.22.0-2

Unbound 1.23.1

This security release fixes the Rebirthday Attack CVE-2025-5994.

This re-opens up resolvers to a birthday paradox, for EDNS client subnet
servers that respond with non-ECS answers. It only affects Unbound when
compiled with --enable-subnet, and subnetmod is enabled with config
options that send ECS information to upstream servers.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt

We would like to thank Xiang Li (AOSP Lab, Nankai University) for
discovering and responsibly disclosing the vulnerability.

Bug Fixes:
- Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
  AOSP Lab Nankai University.

Unbound 1.23.0

This release features changed defaults, fast reload, redis replica,
DNS Error Reporting, and bug fixes.

The fast reload is a feature that is listed as experimental. With
`unbound-control fast_reload` the server can read the new config in
a thread, and when done only briefly pauses the server to update the
settings. This uses double memory, for like zones from disk or config
that is loaded. It only pauses the server, for like less than a second,
so DNS service is not interrupted by the reload of config. A lot of
config items can be changed, but not all. It has options to print
more information, or memory usage, and there is a list of config
options in the man page.

The redis replica support allows for a redis backend to use a redis
replica. The read commands are sent to the redis replica host, while
the write commands are sent to the redis server. So with several
replicas there can be more readers that all write to the redis server.

With DNS error reporting, RFC9567, enabled with
`dns-error-reporting: yes`, this uses the error reporting agent to send
failure reports to. The number of error reporting queries is output in
the statistics as `num.dns_error_reports`.

Some defaults are changed in this release. The `resolver.arpa.` and
`service.arpa.` zones are added to the default locally served zones,
this can be disabled with a nodefault local zone. The default for
`max-global-quota` has changed to 200, after operational feedback.
The defaults from RFC8767 are used by `serve-expired-client-timeout`
on 1800 milliseconds and `serve-expired-ttl` on 86400 seconds. If
Unbound is compiled with edns subnet, the default for module-config
is no longer altered, so that compilation with subnet does not
interfere when the server does not use subnet. When edns subnet needs
to be enabled, `module-config: "subnetcache validator iterator"` should
be explicitly set as configuration in the `server:` section.

If edns subnet is enabled, the default for
module-config is no longer altered, so that compilation with subnet
does not interfere when the server does not use subnet. When edns subnet
is in use, also `module-config: "subnetcache validator iterator"` should
be set as configuration in the `server:` section.

The RC2 has fixes for building on Solaris and portability to Windows,
and fixes a memory leak for DoH.

Features
- Increase the default of max-global-quota to 200 from 128 after
  operational feedback. Still keeping the possible amplification
  factor (CAMP related issues) in the hundreds.
- Fix #1175: serve-expired does not adhere to secure-by-default
  principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
- For #1175, the default value of serve-expired-ttl is set to 86400
  (1 day) as suggested by RFC8767.
- For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
  LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
- Add resolver.arpa and service.arpa to the default locally served
  zones.
- Merge #1042: Fast Reload. The unbound-control fast_reload is added.
  It reads changed config in a thread, then only briefly pauses the
  service threads, that keep running. DNS service is only interrupted
  briefly, less than a second.
- Merge #1019: Redis read-only replica support.
  Introduces new 'redis-replica-*' options for the Redis cache backend.
- Merge #902: DNS Error Reporting (RFC 9567). Introduces new
  configuration option 'dns-error-reporting' and new statistics for
  'num.dns_error_reports'.

Bug Fixes
- Fix #1154: Tag Incorrectly Applying for Other Interfaces
  Using the Same IP. This fix is not for 1.22.0.
- Fix #1163: Typos in unbound.conf documentation.
- Merge #1159: Stats for discard-timeout and wait-limit.
- Add test case for #1159.
- Some clean up for stat_values.test.
- Merge #1170 from Melroy van den Berg, Fix chroot manpage
  description.
- Merge #1157 from Liang Zhu, Fix heap corruption when calling
  ub_ctx_delete in Windows.
- Fix redis that during a reload it does not fail if the redis
  server does not connect or does not respond. It still logs the
  errors and if the server is up checks expiration features.
- Merge #1167: Makefile.in: fix occasional parallel build failures
  around bison rule.
- Fix SETEX check during Redis (re)initialization.
- Fix for the serve expired DNSSEC information fix, it would not allow
  current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.
- Fix to log redis timeout error string on failure.
- More descriptive text for 'harden-algo-downgrade'.
- Complete fix for max-global-quota to 200.
- Fix #1183: the data being used is released in method
  nsec3_hash_test_entry.
- Fix for #1183: release nsec3 hashes per test file.
- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
  auth_zone up/down queries.
- Fix comparison to help static analyzer.
- For #1175, update serve-expired tests.
- Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
- Merge #1197: dname_str() fixes.
- Merge #1198: Fix log-servfail with serve expired and no useful cache
  contents.
- Safeguard alias loop while looking in the cache for expired answers.
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
- Fix typo in log_servfail.tdir test.
- Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
- Fix #1213: Misleading error message on default access control causing
  refuse.
- Merge #1221: Consider auth zones when checking for forwarders.
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
- Create the quic SSL listening context only when needed.
- Fix compile of interface check code when dnscrypt or quic is
  disabled.
- Fix encoding of RR type ATMA.
- Fix to check length in ATMA string to wire.
- Merge #1229: check before use daemon->shm_info.
- Use the same interface listening port discovery code for all needed
  protocols.
- Port to string only when needed before getaddrinfo().
- Do not open unencrypted channels next to encrypted ones on the same
  port.
- Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
  set.
- Merge #1220 from Petr Menšík, Add unbound members group access to
  control key.
- Make the default value of module-config "validator iterator"
  regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.
- Fix #986: Resolving sas.com with dnssec-validation fails though
  signed delegations seem to be (mostly) correct.
- Consider reconfigurations when calculating the still_useful_timeout
  for servers in the infrastructure cache.
- Fix static analysis report about unhandled EOF on error conditions
  when reading anchor key files.
- Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
  values.
- Fix hash calculation for cachedb to ignore case. Previously, cached
  records there were only relevant for same case queries (if not
  already in Unbound's internal cache).
- Merge #1243: Do not shadow tm on line 236.
- Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
  Add --help output description for the SOURCE_DATE_EPOCH variable.
- Fix 'unbound-control flush_negative' when reporting removed data;
  reported by David 'eqvinox' Lamparter.
- Fix representation of types GPOS and RESINFO, add rdf type for
  unquoted str.
- Fix #1251: WSAPoll first argument cannot be NULL.
- Fix for windows compile create ssl contexts.
- Fix print of RR type NSAP-PTR, it is an unquoted string.
- Fix #1253: Cache entries fail to be removed from Redis cachedb
  backend with unbound-control flush* +c.
- Fix for #1253: Fix for redis cachedb backend to expect an integer
  reply for the EXPIRE command.
- Fix #1254: `send failed: Socket is not connected` and
  `remote address is 0.0.0.0 port 53`.
- Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
- For #1255, for ios use an older expat version that does not require
  C++11 language features.
- For #1255, for ios disable building tests that require C++11.
- For #1255, for ios try the latest expat version again.
- Fix unit test dname log printout typecast.
- Fix for ci test, expat is installed on the osx image.
- iana portlist update.
- Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
- Fix escape more characters when printing an RR type with an unquoted
  string.
- Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
- Fix unbound-control test so it counts the new flush_negative output,
  also answers the _ta probe from testns and prints command output
  and skip a thread specific test when no threads are available.
- Fix that ub_event has the facility to deal with callbacks for
  fast reload, doq, windows-stop and dnstap.
- Fix fast reload test to check if pid exists before acting on it.
- Merge #1262 from markyang92, fix build with
  'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
- For #1262, ifdef is no longer needed.
- Fix #1263: Exempt loopback addresses from wait-limit.
- Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
  to allow two arguments.
- Fix ub_event and include dnstap and win_svc headers.
- Fix test for stat_values for wait limit defaults for localhost.
- Fix parameter unused warning in net_help.c.
- Fix mesh_copy_client_info to omit null contents from copy.
- Fix comment name in the rpz nsdname test.
- Fix nettle compile for warnings and ticket keys.
- Fix redis_replica test for unused option defaults and log printout.
- Fix test to speed up common.sh script kill_pid.
- Fix to update common.sh for speed of kill_pid.
- Update to the manpage for the fast_reload part.
- Fix fast_reload to print chroot with config file name.
- Fix to detect if atomic_store links in configure.
- Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
- Fix for print of connection type in log-replies for dot and doh.
- Merge #1265: Fix WSAPoll.

Tag for Unbound 1.23.0rc2.

Tag for Unbound 1.23.0rc1.

unbound1.9 Debian release 1.9.0-2+deb10u2~deb9u5