Tags give the ability to mark specific points in history as being important
-
-
release-1.24.2
f6269baa · ·Unbound 1.24.2 This security release has additional fixes for CVE-2025-11411. Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. The CVE is described here https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies as well, mitigating the possible poison effect. We would like to thank TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University for discovering and responsibly disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1. Bug Fixes: - Additional fix for CVE-2025-11411 (possible domain hijacking attack), to include YXDOMAIN and non-referral nodata answers in the mitigation as well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University.
-
-
release-1.24.1
a33f0638 · ·Unbound 1.24.1 This security release fixes CVE-2025-11411. Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. The CVE is described here https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University for discovering and responsibly disclosing the vulnerability. Bug Fixes: - Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University.
-
-
release-1.24.0
2dd821c2 · ·Unbound 1.24.0 This release features increased defaults, num.valops statistic, unbound-control cache_lookup, and bug fixes. The default value increase for num-queries-per-thread is to make saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report. The default value increase for so-sndbuf is to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report. To help the server start more easily, the setsockopt for sndbuf buffer size prints a warning instead of a failure to start the server if it can not set the buffer size. Various cache -slabs options are auto-configured if not specified in the config file. It uses a power of two close to the number of threads. When the option is specified in the config file that value is used instead. An extra statistic is added to track the number of signature validation operations by the validator, `num.valops`. The unbound-control `cache_lookup` command prints cache information for names in the domain given. This prints similar to dump_cache, but only names under the zone(s) specified. Because of that it locks the caches for a much shorter time, and this is good for server responsiveness. The `sock-queue-timeout` option is adapted to work on FreeBSD as well as Linux. Features - Increase default to `num-queries-per-thread: 2048`, when unbound is compiled with libevent. It makes saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report. - Merge #1276: Auto-configure '-slabs' values. - Change default for so-sndbuf to 1m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report. - Adjusted so-sndbuf default to 4m. - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to track the number of signature validation operations. Adds 'num.valops' to extended statistics. - Fix #1303: [FR] Disable TLSv1.2. - unbound-control cache_lookup <domains> prints the cached rrsets and messages for those. - unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed. - Fix #1319: [FR] zone status for Unbound auth-zones. Bug Fixes - Fix #1272: assertion failure testcode/unitverify.c:202. - Merge #1275: Use macros for the fr_check_changed* functions. - Fix for parallel build of dnstap protoc-c output. - Fix dnstap to use protoc. - Sync unbound and unbound-checkconf log output for unknown modules. - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." in 1.23.0, but worked in 1.22.0. - Fix #1283: Unsafe usage of atoi() while parsing the configuration file. - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on broken auth zones that include unsigned out of zone (above apex) data. Could lead to hang while trying to prove a wildcard answer. - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) by adding a log_assert() to safeguard future development. - Fix #1282: log-destaddr fail on long ipv6 addresses. - Fix config of slab values when there is no config file. - Fix for cname chain length with qtype ANY and qname minimisation. Thanks to Jim Greenwood from Nominet for the report. - Merge #1285: RST man pages. It introduces restructuredText man pages to sync the online and source code man page documentation. The templated man pages (*.in) are still part of the repo but generated with docutils from their .rst counterpart. Documentation on how to generate those (mainly for core developers) is in README.man. - Add more checks about respip in unbound-checkconf. Also fixes #310: unbound-checkconf not reporting RPZ configuration error. - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound program. - Small manpage corrections for the 'disable-dnssec-lame-check' option. - Fix unbound-anchor certificate file read for line ends and end of file. - Fix comment for the dname_remove_label_limit_len function. - iana portlist updated. - Fix bitwise operators in conditional expressions with parentheses. - Fix conditional expressions with parentheses for bitwise and. - Fix header return value description for skip_pkt_rrs and parse_edns_from_query_pkt. - Fix to check control-interface addresses in unbound-checkconf. - Fix #1295: Windows 32-bit binaries download seems to be missing dll dependency. - Fix for consistent use of local zone CNAME alias for configured auth zones. Now it also applies to downstream configured auth zones. - Fix #1296: DNS over QUIC depends on a very outdated version of ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0. - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod. - Fix rrset cache create allocation failure case. - Fix #1293: EDE 6 is attached to insecure cached answers when client sends the CD bit. - Fix #1247: forward-first: ssl handshake failed on root nameservers. - For #1247, turn off fetch-policy for delegation when looking into parent side name servers that may not update the addresses and hit NXNS limits. - For #1247, replay test (added tcp_transport to outnet_serviced_query). - Merge #1299: Fix typos. - Generate ltmain.sh and configure again. - Fix #1300: Is 'sock-queue-timeout' a linux only feature. - For #1300: implement sock-queue-timeout for FreeBSD as well. - Fix layout of comm_point_udp_ancil_callback. - Fix to improve dnstap discovery on Fedora. - Fix detection of SSL_CTX_set_tmp_ecdh function. - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1. - For #1289: test num.valops in existing stat_values.tdir. - For #1289: add num.valops in the unbound-control man page. - Add unit tests for non-ecs aggregation. - Fix to not set rlimits in the unit tests. - iana portlist updated. - Redis checks for server down and throttles reconnects. - Fix redis cachedb module gettimeofday init failure. - Fix testbound test program to accurately output packets from hex. - Fix #1309: incorrectly reclaimed tcp handler can cause data corruption and segfault. - Fix to use assertions for consistency checks in #1309 reclaimed tcp handlers. - Fix edns subnet, so that the subquery without subnet is stored in global cache if the querier used 0.0.0.0/0 and the name and address do not receive subnet treatment. If the name and address are configured for subnet, it is stored in the subnet cache. - Fix dname_str for printout of long names. Thanks to Jan Komissar for the fix. - Fix that edns-subnet failure to create a subquery errors as servfail, and not formerror. - Fix to whitespace in dname_str. - Fix that unbound-control dump_cache releases the cache locks every so often, so that the server stays responsive. - Fix to remove debug from cache_lookup. - Fix to unlock cache_lookup message for malformed records. - Fix to increase responsiveness of dump_cache. - Fix to decouple file descriptor activity and cache lookups in dump_cache. - Fix cache_lookup subnet printout to wipe zero part of the prefix. - Fix cache_lookup subnet print to not print messages without rrsets and perform in-depth check on node in the addrtree. - Fix to check for extraneous command arguments for unbound-control, when the command takes no arguments but there are arguments present. - Fix #1317: Unbound starts too early. Add Wants=network-online.target under [Unit] in unbound.service. - Fix for #1317: Fix contrib/unbound.service comment path for systemd network configuration. - For #1318: Fix compile warnings for DoH compile on windows. - Fix sha1 enable environment variable in test code on windows. - Fix that the zone acquired timestamp is set after the zonefile is read. - Fix ports workflow to install expat for macos. - Fix unbound-control dump_cache for double unlock of lruhash table. - Fix setup_listen_sslctx warning for nettle compile. - Limit the number of consecutive reads on an HTTP/2 session. Thanks to Gal Bar Nahum for exposing the possibility of infinite reads on the session. - Fix for #1324: Fix to free edns options scratch in ratelimit case. - Fix #1235: Outdated Python2 code in unbound/pythonmod/examples/log.py. - Fix #1324: Memory leak in 'msgparse.c' in 'parse_edns_options_from_query(...)'. - Fix indentation in tcp-mss option parsing. - For #1328: make depend. - Update documentation for using "SET ... EX" in Redis. - Document max buffer sizes for Redis commands. - Update man pages. - Fix #1332: CNAME chains are sometimes not followed when RPZs add a local CNAME rewrite. - Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0. - Small debug output improvement when attaching an EDE. - Fix to print warning for when so-sndbuf setsockopt is not granted. - Too many quotes for the EDE message debug printout.
-