-
-
release-1.24.02dd821c2 · ·
Unbound 1.24.0 This release features increased defaults, num.valops statistic, unbound-control cache_lookup, and bug fixes. The default value increase for num-queries-per-thread is to make saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report. The default value increase for so-sndbuf is to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report. To help the server start more easily, the setsockopt for sndbuf buffer size prints a warning instead of a failure to start the server if it can not set the buffer size. Various cache -slabs options are auto-configured if not specified in the config file. It uses a power of two close to the number of threads. When the option is specified in the config file that value is used instead. An extra statistic is added to track the number of signature validation operations by the validator, `num.valops`. The unbound-control `cache_lookup` command prints cache information for names in the domain given. This prints similar to dump_cache, but only names under the zone(s) specified. Because of that it locks the caches for a much shorter time, and this is good for server responsiveness. The `sock-queue-timeout` option is adapted to work on FreeBSD as well as Linux. Features - Increase default to `num-queries-per-thread: 2048`, when unbound is compiled with libevent. It makes saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report. - Merge #1276: Auto-configure '-slabs' values. - Change default for so-sndbuf to 1m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report. - Adjusted so-sndbuf default to 4m. - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to track the number of signature validation operations. Adds 'num.valops' to extended statistics. - Fix #1303: [FR] Disable TLSv1.2. - unbound-control cache_lookup <domains> prints the cached rrsets and messages for those. - unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed. - Fix #1319: [FR] zone status for Unbound auth-zones. Bug Fixes - Fix #1272: assertion failure testcode/unitverify.c:202. - Merge #1275: Use macros for the fr_check_changed* functions. - Fix for parallel build of dnstap protoc-c output. - Fix dnstap to use protoc. - Sync unbound and unbound-checkconf log output for unknown modules. - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." in 1.23.0, but worked in 1.22.0. - Fix #1283: Unsafe usage of atoi() while parsing the configuration file. - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on broken auth zones that include unsigned out of zone (above apex) data. Could lead to hang while trying to prove a wildcard answer. - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) by adding a log_assert() to safeguard future development. - Fix #1282: log-destaddr fail on long ipv6 addresses. - Fix config of slab values when there is no config file. - Fix for cname chain length with qtype ANY and qname minimisation. Thanks to Jim Greenwood from Nominet for the report. - Merge #1285: RST man pages. It introduces restructuredText man pages to sync the online and source code man page documentation. The templated man pages (*.in) are still part of the repo but generated with docutils from their .rst counterpart. Documentation on how to generate those (mainly for core developers) is in README.man. - Add more checks about respip in unbound-checkconf. Also fixes #310: unbound-checkconf not reporting RPZ configuration error. - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound program. - Small manpage corrections for the 'disable-dnssec-lame-check' option. - Fix unbound-anchor certificate file read for line ends and end of file. - Fix comment for the dname_remove_label_limit_len function. - iana portlist updated. - Fix bitwise operators in conditional expressions with parentheses. - Fix conditional expressions with parentheses for bitwise and. - Fix header return value description for skip_pkt_rrs and parse_edns_from_query_pkt. - Fix to check control-interface addresses in unbound-checkconf. - Fix #1295: Windows 32-bit binaries download seems to be missing dll dependency. - Fix for consistent use of local zone CNAME alias for configured auth zones. Now it also applies to downstream configured auth zones. - Fix #1296: DNS over QUIC depends on a very outdated version of ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0. - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod. - Fix rrset cache create allocation failure case. - Fix #1293: EDE 6 is attached to insecure cached answers when client sends the CD bit. - Fix #1247: forward-first: ssl handshake failed on root nameservers. - For #1247, turn off fetch-policy for delegation when looking into parent side name servers that may not update the addresses and hit NXNS limits. - For #1247, replay test (added tcp_transport to outnet_serviced_query). - Merge #1299: Fix typos. - Generate ltmain.sh and configure again. - Fix #1300: Is 'sock-queue-timeout' a linux only feature. - For #1300: implement sock-queue-timeout for FreeBSD as well. - Fix layout of comm_point_udp_ancil_callback. - Fix to improve dnstap discovery on Fedora. - Fix detection of SSL_CTX_set_tmp_ecdh function. - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1. - For #1289: test num.valops in existing stat_values.tdir. - For #1289: add num.valops in the unbound-control man page. - Add unit tests for non-ecs aggregation. - Fix to not set rlimits in the unit tests. - iana portlist updated. - Redis checks for server down and throttles reconnects. - Fix redis cachedb module gettimeofday init failure. - Fix testbound test program to accurately output packets from hex. - Fix #1309: incorrectly reclaimed tcp handler can cause data corruption and segfault. - Fix to use assertions for consistency checks in #1309 reclaimed tcp handlers. - Fix edns subnet, so that the subquery without subnet is stored in global cache if the querier used 0.0.0.0/0 and the name and address do not receive subnet treatment. If the name and address are configured for subnet, it is stored in the subnet cache. - Fix dname_str for printout of long names. Thanks to Jan Komissar for the fix. - Fix that edns-subnet failure to create a subquery errors as servfail, and not formerror. - Fix to whitespace in dname_str. - Fix that unbound-control dump_cache releases the cache locks every so often, so that the server stays responsive. - Fix to remove debug from cache_lookup. - Fix to unlock cache_lookup message for malformed records. - Fix to increase responsiveness of dump_cache. - Fix to decouple file descriptor activity and cache lookups in dump_cache. - Fix cache_lookup subnet printout to wipe zero part of the prefix. - Fix cache_lookup subnet print to not print messages without rrsets and perform in-depth check on node in the addrtree. - Fix to check for extraneous command arguments for unbound-control, when the command takes no arguments but there are arguments present. - Fix #1317: Unbound starts too early. Add Wants=network-online.target under [Unit] in unbound.service. - Fix for #1317: Fix contrib/unbound.service comment path for systemd network configuration. - For #1318: Fix compile warnings for DoH compile on windows. - Fix sha1 enable environment variable in test code on windows. - Fix that the zone acquired timestamp is set after the zonefile is read. - Fix ports workflow to install expat for macos. - Fix unbound-control dump_cache for double unlock of lruhash table. - Fix setup_listen_sslctx warning for nettle compile. - Limit the number of consecutive reads on an HTTP/2 session. Thanks to Gal Bar Nahum for exposing the possibility of infinite reads on the session. - Fix for #1324: Fix to free edns options scratch in ratelimit case. - Fix #1235: Outdated Python2 code in unbound/pythonmod/examples/log.py. - Fix #1324: Memory leak in 'msgparse.c' in 'parse_edns_options_from_query(...)'. - Fix indentation in tcp-mss option parsing. - For #1328: make depend. - Update documentation for using "SET ... EX" in Redis. - Document max buffer sizes for Redis commands. - Update man pages. - Fix #1332: CNAME chains are sometimes not followed when RPZs add a local CNAME rewrite. - Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0. - Small debug output improvement when attaching an EDE. - Fix to print warning for when so-sndbuf setsockopt is not granted. - Too many quotes for the EDE message debug printout.
-
-
release-1.23.15bf82f24 · ·
Unbound 1.23.1 This security release fixes the Rebirthday Attack CVE-2025-5994. This re-opens up resolvers to a birthday paradox, for EDNS client subnet servers that respond with non-ECS answers. It only affects Unbound when compiled with --enable-subnet, and subnetmod is enabled with config options that send ECS information to upstream servers. The CVE is described here https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt We would like to thank Xiang Li (AOSP Lab, Nankai University) for discovering and responsibly disclosing the vulnerability. Bug Fixes: - Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University.
-
release-1.23.030c13d03 · ·
Unbound 1.23.0 This release features changed defaults, fast reload, redis replica, DNS Error Reporting, and bug fixes. The fast reload is a feature that is listed as experimental. With `unbound-control fast_reload` the server can read the new config in a thread, and when done only briefly pauses the server to update the settings. This uses double memory, for like zones from disk or config that is loaded. It only pauses the server, for like less than a second, so DNS service is not interrupted by the reload of config. A lot of config items can be changed, but not all. It has options to print more information, or memory usage, and there is a list of config options in the man page. The redis replica support allows for a redis backend to use a redis replica. The read commands are sent to the redis replica host, while the write commands are sent to the redis server. So with several replicas there can be more readers that all write to the redis server. With DNS error reporting, RFC9567, enabled with `dns-error-reporting: yes`, this uses the error reporting agent to send failure reports to. The number of error reporting queries is output in the statistics as `num.dns_error_reports`. Some defaults are changed in this release. The `resolver.arpa.` and `service.arpa.` zones are added to the default locally served zones, this can be disabled with a nodefault local zone. The default for `max-global-quota` has changed to 200, after operational feedback. The defaults from RFC8767 are used by `serve-expired-client-timeout` on 1800 milliseconds and `serve-expired-ttl` on 86400 seconds. If Unbound is compiled with edns subnet, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet needs to be enabled, `module-config: "subnetcache validator iterator"` should be explicitly set as configuration in the `server:` section. If edns subnet is enabled, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet is in use, also `module-config: "subnetcache validator iterator"` should be set as configuration in the `server:` section. The RC2 has fixes for building on Solaris and portability to Windows, and fixes a memory leak for DoH. Features - Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. - Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. - For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. - Add resolver.arpa and service.arpa to the default locally served zones. - Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. - Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. - Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. Bug Fixes - Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0. - Fix #1163: Typos in unbound.conf documentation. - Merge #1159: Stats for discard-timeout and wait-limit. - Add test case for #1159. - Some clean up for stat_values.test. - Merge #1170 from Melroy van den Berg, Fix chroot manpage description. - Merge #1157 from Liang Zhu, Fix heap corruption when calling ub_ctx_delete in Windows. - Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features. - Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule. - Fix SETEX check during Redis (re)initialization. - Fix for the serve expired DNSSEC information fix, it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated, but as a consequence no longer has certain expired information around for later dnssec valid expired responses. - Fix to log redis timeout error string on failure. - More descriptive text for 'harden-algo-downgrade'. - Complete fix for max-global-quota to 200. - Fix #1183: the data being used is released in method nsec3_hash_test_entry. - Fix for #1183: release nsec3 hashes per test file. - Merge #1169 from Sergey Kacheev, fix: lock-free counters for auth_zone up/down queries. - Fix comparison to help static analyzer. - For #1175, update serve-expired tests. - Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255. - Merge #1197: dname_str() fixes. - Merge #1198: Fix log-servfail with serve expired and no useful cache contents. - Safeguard alias loop while looking in the cache for expired answers. - Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop. - Fix typo in log_servfail.tdir test. - Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion. - Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic. - Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake. - Fix #1213: Misleading error message on default access control causing refuse. - Merge #1221: Consider auth zones when checking for forwarders. - Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN. - Create the quic SSL listening context only when needed. - Fix compile of interface check code when dnscrypt or quic is disabled. - Fix encoding of RR type ATMA. - Fix to check length in ATMA string to wire. - Merge #1229: check before use daemon->shm_info. - Use the same interface listening port discovery code for all needed protocols. - Port to string only when needed before getaddrinfo(). - Do not open unencrypted channels next to encrypted ones on the same port. - Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set. - Merge #1220 from Petr Menšík, Add unbound members group access to control key. - Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past. - Fix #986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct. - Consider reconfigurations when calculating the still_useful_timeout for servers in the infrastructure cache. - Fix static analysis report about unhandled EOF on error conditions when reading anchor key files. - Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt values. - Fix hash calculation for cachedb to ignore case. Previously, cached records there were only relevant for same case queries (if not already in Unbound's internal cache). - Merge #1243: Do not shadow tm on line 236. - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time. Add --help output description for the SOURCE_DATE_EPOCH variable. - Fix 'unbound-control flush_negative' when reporting removed data; reported by David 'eqvinox' Lamparter. - Fix representation of types GPOS and RESINFO, add rdf type for unquoted str. - Fix #1251: WSAPoll first argument cannot be NULL. - Fix for windows compile create ssl contexts. - Fix print of RR type NSAP-PTR, it is an unquoted string. - Fix #1253: Cache entries fail to be removed from Redis cachedb backend with unbound-control flush* +c. - Fix for #1253: Fix for redis cachedb backend to expect an integer reply for the EXPIRE command. - Fix #1254: `send failed: Socket is not connected` and `remote address is 0.0.0.0 port 53`. - Fix #1255: Multiple pinnings to vulnerable copies of libexpat. - For #1255, for ios use an older expat version that does not require C++11 language features. - For #1255, for ios disable building tests that require C++11. - For #1255, for ios try the latest expat version again. - Fix unit test dname log printout typecast. - Fix for ci test, expat is installed on the osx image. - iana portlist update. - Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir. - Fix escape more characters when printing an RR type with an unquoted string. - Enable the auth_tls.tdir and auth_tls_failcert.tdir tests. - Fix unbound-control test so it counts the new flush_negative output, also answers the _ta probe from testns and prints command output and skip a thread specific test when no threads are available. - Fix that ub_event has the facility to deal with callbacks for fast reload, doq, windows-stop and dnstap. - Fix fast reload test to check if pid exists before acting on it. - Merge #1262 from markyang92, fix build with 'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c. - For #1262, ifdef is no longer needed. - Fix #1263: Exempt loopback addresses from wait-limit. - Fix wait-limit-netblock and wait-limit-cookie-netblock config parse to allow two arguments. - Fix ub_event and include dnstap and win_svc headers. - Fix test for stat_values for wait limit defaults for localhost. - Fix parameter unused warning in net_help.c. - Fix mesh_copy_client_info to omit null contents from copy. - Fix comment name in the rpz nsdname test. - Fix nettle compile for warnings and ticket keys. - Fix redis_replica test for unused option defaults and log printout. - Fix test to speed up common.sh script kill_pid. - Fix to update common.sh for speed of kill_pid. - Update to the manpage for the fast_reload part. - Fix fast_reload to print chroot with config file name. - Fix to detect if atomic_store links in configure. - Fix #1264: unbound 1.22.0 leaks memory when doing DoH. - Fix for print of connection type in log-replies for dot and doh. - Merge #1265: Fix WSAPoll.