Skip to content

Tags

Tags give the ability to mark specific points in history as being important
  • debian/1.24.0-2
    unbound Debian release 1.24.0-2
  • debian/1.24.0-1
    unbound Debian release 1.24.0-1
  • upstream/1.24.0
    Upstream version 1.24.0
  • release-1.24.0
    Unbound 1.24.0
    
    This release features increased defaults, num.valops statistic,
    unbound-control cache_lookup, and bug fixes.
    
    The default value increase for num-queries-per-thread is to make
    saturation of the task queue more resource intensive and less
    practical. Thanks to Shiming Liu, Network and Information Security
    Lab, Tsinghua University for the report.
    
    The default value increase for so-sndbuf is to mitigate a cross-layer
    issue where the UDP socket send buffers are exhausted waiting for
    ARP/NDP resolution. Thanks to Reflyable for the report.
    
    To help the server start more easily, the setsockopt for sndbuf buffer
    size prints a warning instead of a failure to start the server if it
    can not set the buffer size.
    
    Various cache -slabs options are auto-configured if not specified
    in the config file. It uses a power of two close to the number of
    threads. When the option is specified in the config file that value
    is used instead.
    
    An extra statistic is added to track the number of signature validation
    operations by the validator, `num.valops`.
    
    The unbound-control `cache_lookup` command prints cache information for
    names in the domain given. This prints similar to dump_cache, but only
    names under the zone(s) specified. Because of that it locks the caches
    for a much shorter time, and this is good for server responsiveness.
    
    The `sock-queue-timeout` option is adapted to work on FreeBSD as well
    as Linux.
    
    Features
    - Increase default to `num-queries-per-thread: 2048`, when unbound is
      compiled with libevent. It makes saturation of the task queue more
      resource intensive and less practical. Thanks to Shiming Liu,
      Network and Information Security Lab, Tsinghua University for the
      report.
    - Merge #1276: Auto-configure '-slabs' values.
    - Change default for so-sndbuf to 1m, to mitigate a cross-layer
      issue where the UDP socket send buffers are exhausted waiting
      for ARP/NDP resolution. Thanks to Reflyable for the report.
    - Adjusted so-sndbuf default to 4m.
    - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
      track the number of signature validation operations.
      Adds 'num.valops' to extended statistics.
    - Fix #1303: [FR] Disable TLSv1.2.
    - unbound-control cache_lookup <domains> prints the cached rrsets
      and messages for those.
    - unbound-control cache_lookup +t allows tld and root names. And
      subnet cache contents are printed.
    - Fix #1319: [FR] zone status for Unbound auth-zones.
    
    Bug Fixes
    - Fix #1272: assertion failure testcode/unitverify.c:202.
    - Merge #1275: Use macros for the fr_check_changed* functions.
    - Fix for parallel build of dnstap protoc-c output.
    - Fix dnstap to use protoc.
    - Sync unbound and unbound-checkconf log output for unknown modules.
    - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
      in 1.23.0, but worked in 1.22.0.
    - Fix #1283: Unsafe usage of atoi() while parsing the configuration
      file.
    - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
      broken auth zones that include unsigned out of zone (above apex)
      data. Could lead to hang while trying to prove a wildcard answer.
    - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
      by adding a log_assert() to safeguard future development.
    - Fix #1282: log-destaddr fail on long ipv6 addresses.
    - Fix config of slab values when there is no config file.
    - Fix for cname chain length with qtype ANY and qname minimisation.
      Thanks to Jim Greenwood from Nominet for the report.
    - Merge #1285:  RST man pages. It introduces restructuredText man pages
      to sync the online and source code man page documentation.
      The templated man pages (*.in) are still part of the repo but
      generated with docutils from their .rst counterpart.
      Documentation on how to generate those (mainly for core developers)
      is in README.man.
    - Add more checks about respip in unbound-checkconf.
      Also fixes #310: unbound-checkconf not reporting RPZ configuration
      error.
    - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
      program.
    - Small manpage corrections for the 'disable-dnssec-lame-check' option.
    - Fix unbound-anchor certificate file read for line ends and end of
      file.
    - Fix comment for the dname_remove_label_limit_len function.
    - iana portlist updated.
    - Fix bitwise operators in conditional expressions with parentheses.
    - Fix conditional expressions with parentheses for bitwise and.
    - Fix header return value description for skip_pkt_rrs and
      parse_edns_from_query_pkt.
    - Fix to check control-interface addresses in unbound-checkconf.
    - Fix #1295: Windows 32-bit binaries download seems to be missing dll
      dependency.
    - Fix for consistent use of local zone CNAME alias for configured auth
      zones. Now it also applies to downstream configured auth zones.
    - Fix #1296: DNS over QUIC depends on a very outdated version of
      ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
    - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
    - Fix rrset cache create allocation failure case.
    - Fix #1293: EDE 6 is attached to insecure cached answers when client
      sends the CD bit.
    - Fix #1247: forward-first: ssl handshake failed on root nameservers.
    - For #1247, turn off fetch-policy for delegation when looking into
      parent side name servers that may not update the addresses and hit
      NXNS limits.
    - For #1247, replay test (added tcp_transport to
      outnet_serviced_query).
    - Merge #1299: Fix typos.
    - Generate ltmain.sh and configure again.
    - Fix #1300: Is 'sock-queue-timeout' a linux only feature.
    - For #1300: implement sock-queue-timeout for FreeBSD as well.
    - Fix layout of comm_point_udp_ancil_callback.
    - Fix to improve dnstap discovery on Fedora.
    - Fix detection of SSL_CTX_set_tmp_ecdh function.
    - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
    - For #1289: test num.valops in existing stat_values.tdir.
    - For #1289: add num.valops in the unbound-control man page.
    - Add unit tests for non-ecs aggregation.
    - Fix to not set rlimits in the unit tests.
    - iana portlist updated.
    - Redis checks for server down and throttles reconnects.
    - Fix redis cachedb module gettimeofday init failure.
    - Fix testbound test program to accurately output packets from hex.
    - Fix #1309: incorrectly reclaimed tcp handler can cause data
      corruption and segfault.
    - Fix to use assertions for consistency checks in #1309 reclaimed
      tcp handlers.
    - Fix edns subnet, so that the subquery without subnet is stored in
      global cache if the querier used 0.0.0.0/0 and the name and address
      do not receive subnet treatment. If the name and address are
      configured for subnet, it is stored in the subnet cache.
    - Fix dname_str for printout of long names. Thanks to Jan Komissar
      for the fix.
    - Fix that edns-subnet failure to create a subquery errors as
      servfail, and not formerror.
    - Fix to whitespace in dname_str.
    - Fix that unbound-control dump_cache releases the cache locks
      every so often, so that the server stays responsive.
    - Fix to remove debug from cache_lookup.
    - Fix to unlock cache_lookup message for malformed records.
    - Fix to increase responsiveness of dump_cache.
    - Fix to decouple file descriptor activity and cache lookups in
      dump_cache.
    - Fix cache_lookup subnet printout to wipe zero part of the prefix.
    - Fix cache_lookup subnet print to not print messages without rrsets
      and perform in-depth check on node in the addrtree.
    - Fix to check for extraneous command arguments for unbound-control,
      when the command takes no arguments but there are arguments present.
    - Fix #1317: Unbound starts too early. Add
      Wants=network-online.target under [Unit] in unbound.service.
    - Fix for #1317: Fix contrib/unbound.service comment path for
      systemd network configuration.
    - For #1318: Fix compile warnings for DoH compile on windows.
    - Fix sha1 enable environment variable in test code on windows.
    - Fix that the zone acquired timestamp is set after the
      zonefile is read.
    - Fix ports workflow to install expat for macos.
    - Fix unbound-control dump_cache for double unlock of lruhash table.
    - Fix setup_listen_sslctx warning for nettle compile.
    - Limit the number of consecutive reads on an HTTP/2 session.
      Thanks to Gal Bar Nahum for exposing the possibility of infinite
      reads on the session.
    - Fix for #1324: Fix to free edns options scratch in ratelimit case.
    - Fix #1235: Outdated Python2 code in
      unbound/pythonmod/examples/log.py.
    - Fix #1324: Memory leak in 'msgparse.c' in
      'parse_edns_options_from_query(...)'.
    - Fix indentation in tcp-mss option parsing.
    - For #1328: make depend.
    - Update documentation for using "SET ... EX" in Redis.
    - Document max buffer sizes for Redis commands.
    - Update man pages.
    - Fix #1332: CNAME chains are sometimes not followed when RPZs add a
      local CNAME rewrite.
    - Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
    - Small debug output improvement when attaching an EDE.
    - Fix to print warning for when so-sndbuf setsockopt is not granted.
    - Too many quotes for the EDE message debug printout.
    
  • release-1.24.0rc1
    Tag for Unbound 1.24.0rc1.
    
  • debian/1.17.1-2+deb12u3
    unbound Debian release 1.17.1-2+deb12u3
    
  • debian/1.9.0-2+deb10u2_deb9u6
    unbound1.9 Debian release 1.9.0-2+deb10u2~deb9u6
    
  • debian/1.23.1-1
    unbound Debian release 1.23.1-1
  • debian/1.9.0-2+deb10u6
    unbound Debian release 1.9.0-2+deb10u6
    
  • debian/1.13.1-1+deb11u5
    unbound Debian release 1.13.1-1+deb11u5
    
  • upstream/1.23.1
    Upstream version 1.23.1
  • debian/1.22.0-2
    unbound Debian release 1.22.0-2
  • release-1.23.1
    Unbound 1.23.1
    
    This security release fixes the Rebirthday Attack CVE-2025-5994.
    
    This re-opens up resolvers to a birthday paradox, for EDNS client subnet
    servers that respond with non-ECS answers. It only affects Unbound when
    compiled with --enable-subnet, and subnetmod is enabled with config
    options that send ECS information to upstream servers.
    
    The CVE is described here
    https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
    
    We would like to thank Xiang Li (AOSP Lab, Nankai University) for
    discovering and responsibly disclosing the vulnerability.
    
    Bug Fixes:
    - Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
      AOSP Lab Nankai University.
    
  • release-1.23.0
    Unbound 1.23.0
    
    This release features changed defaults, fast reload, redis replica,
    DNS Error Reporting, and bug fixes.
    
    The fast reload is a feature that is listed as experimental. With
    `unbound-control fast_reload` the server can read the new config in
    a thread, and when done only briefly pauses the server to update the
    settings. This uses double memory, for like zones from disk or config
    that is loaded. It only pauses the server, for like less than a second,
    so DNS service is not interrupted by the reload of config. A lot of
    config items can be changed, but not all. It has options to print
    more information, or memory usage, and there is a list of config
    options in the man page.
    
    The redis replica support allows for a redis backend to use a redis
    replica. The read commands are sent to the redis replica host, while
    the write commands are sent to the redis server. So with several
    replicas there can be more readers that all write to the redis server.
    
    With DNS error reporting, RFC9567, enabled with
    `dns-error-reporting: yes`, this uses the error reporting agent to send
    failure reports to. The number of error reporting queries is output in
    the statistics as `num.dns_error_reports`.
    
    Some defaults are changed in this release. The `resolver.arpa.` and
    `service.arpa.` zones are added to the default locally served zones,
    this can be disabled with a nodefault local zone. The default for
    `max-global-quota` has changed to 200, after operational feedback.
    The defaults from RFC8767 are used by `serve-expired-client-timeout`
    on 1800 milliseconds and `serve-expired-ttl` on 86400 seconds. If
    Unbound is compiled with edns subnet, the default for module-config
    is no longer altered, so that compilation with subnet does not
    interfere when the server does not use subnet. When edns subnet needs
    to be enabled, `module-config: "subnetcache validator iterator"` should
    be explicitly set as configuration in the `server:` section.
    
    If edns subnet is enabled, the default for
    module-config is no longer altered, so that compilation with subnet
    does not interfere when the server does not use subnet. When edns subnet
    is in use, also `module-config: "subnetcache validator iterator"` should
    be set as configuration in the `server:` section.
    
    The RC2 has fixes for building on Solaris and portability to Windows,
    and fixes a memory leak for DoH.
    
    Features
    - Increase the default of max-global-quota to 200 from 128 after
      operational feedback. Still keeping the possible amplification
      factor (CAMP related issues) in the hundreds.
    - Fix #1175: serve-expired does not adhere to secure-by-default
      principle. The default value of serve-expired-client-timeout
      is set to 1800 as suggested by RFC8767.
    - For #1175, the default value of serve-expired-ttl is set to 86400
      (1 day) as suggested by RFC8767.
    - For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
      LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
    - Add resolver.arpa and service.arpa to the default locally served
      zones.
    - Merge #1042: Fast Reload. The unbound-control fast_reload is added.
      It reads changed config in a thread, then only briefly pauses the
      service threads, that keep running. DNS service is only interrupted
      briefly, less than a second.
    - Merge #1019: Redis read-only replica support.
      Introduces new 'redis-replica-*' options for the Redis cache backend.
    - Merge #902: DNS Error Reporting (RFC 9567). Introduces new
      configuration option 'dns-error-reporting' and new statistics for
      'num.dns_error_reports'.
    
    Bug Fixes
    - Fix #1154: Tag Incorrectly Applying for Other Interfaces
      Using the Same IP. This fix is not for 1.22.0.
    - Fix #1163: Typos in unbound.conf documentation.
    - Merge #1159: Stats for discard-timeout and wait-limit.
    - Add test case for #1159.
    - Some clean up for stat_values.test.
    - Merge #1170 from Melroy van den Berg, Fix chroot manpage
      description.
    - Merge #1157 from Liang Zhu, Fix heap corruption when calling
      ub_ctx_delete in Windows.
    - Fix redis that during a reload it does not fail if the redis
      server does not connect or does not respond. It still logs the
      errors and if the server is up checks expiration features.
    - Merge #1167: Makefile.in: fix occasional parallel build failures
      around bison rule.
    - Fix SETEX check during Redis (re)initialization.
    - Fix for the serve expired DNSSEC information fix, it would not allow
      current delegation information be updated in cache. The fix allows
      current delegation and validation recursion information to be
      updated, but as a consequence no longer has certain expired
      information around for later dnssec valid expired responses.
    - Fix to log redis timeout error string on failure.
    - More descriptive text for 'harden-algo-downgrade'.
    - Complete fix for max-global-quota to 200.
    - Fix #1183: the data being used is released in method
      nsec3_hash_test_entry.
    - Fix for #1183: release nsec3 hashes per test file.
    - Merge #1169 from Sergey Kacheev, fix: lock-free counters for
      auth_zone up/down queries.
    - Fix comparison to help static analyzer.
    - For #1175, update serve-expired tests.
    - Merge #1189: Fix the dname_str method to cause conversion errors
      when the domain name length is 255.
    - Merge #1197: dname_str() fixes.
    - Merge #1198: Fix log-servfail with serve expired and no useful cache
      contents.
    - Safeguard alias loop while looking in the cache for expired answers.
    - Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
      drop.
    - Fix typo in log_servfail.tdir test.
    - Merge #1204: ci: set persist-credentials: false for actions/checkout
      per zizmor suggestion.
    - Merge #1174: Serve expired cache update fixes. Fixes a regression bug
      with serve-expired that appeared in 1.22.0 and would not allow the
      iterator to update the cache with not-yet-validated entries resulting
      in increased outgoing traffic.
    - Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
      handshake.
    - Fix #1213: Misleading error message on default access control causing
      refuse.
    - Merge #1221: Consider auth zones when checking for forwarders.
    - Merge #1222: Unique DoT and DoH SSL contexts to allow for different
      ALPN.
    - Create the quic SSL listening context only when needed.
    - Fix compile of interface check code when dnscrypt or quic is
      disabled.
    - Fix encoding of RR type ATMA.
    - Fix to check length in ATMA string to wire.
    - Merge #1229: check before use daemon->shm_info.
    - Use the same interface listening port discovery code for all needed
      protocols.
    - Port to string only when needed before getaddrinfo().
    - Do not open unencrypted channels next to encrypted ones on the same
      port.
    - Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
      set.
    - Merge #1220 from Petr Menšík, Add unbound members group access to
      control key.
    - Make the default value of module-config "validator iterator"
      regardless of compilation options. --enable-subnet would implicitly
      change the value to enable the subnetcache module by default in the
      past.
    - Fix #986: Resolving sas.com with dnssec-validation fails though
      signed delegations seem to be (mostly) correct.
    - Consider reconfigurations when calculating the still_useful_timeout
      for servers in the infrastructure cache.
    - Fix static analysis report about unhandled EOF on error conditions
      when reading anchor key files.
    - Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
      values.
    - Fix hash calculation for cachedb to ignore case. Previously, cached
      records there were only relevant for same case queries (if not
      already in Unbound's internal cache).
    - Merge #1243: Do not shadow tm on line 236.
    - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
      Add --help output description for the SOURCE_DATE_EPOCH variable.
    - Fix 'unbound-control flush_negative' when reporting removed data;
      reported by David 'eqvinox' Lamparter.
    - Fix representation of types GPOS and RESINFO, add rdf type for
      unquoted str.
    - Fix #1251: WSAPoll first argument cannot be NULL.
    - Fix for windows compile create ssl contexts.
    - Fix print of RR type NSAP-PTR, it is an unquoted string.
    - Fix #1253: Cache entries fail to be removed from Redis cachedb
      backend with unbound-control flush* +c.
    - Fix for #1253: Fix for redis cachedb backend to expect an integer
      reply for the EXPIRE command.
    - Fix #1254: `send failed: Socket is not connected` and
      `remote address is 0.0.0.0 port 53`.
    - Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
    - For #1255, for ios use an older expat version that does not require
      C++11 language features.
    - For #1255, for ios disable building tests that require C++11.
    - For #1255, for ios try the latest expat version again.
    - Fix unit test dname log printout typecast.
    - Fix for ci test, expat is installed on the osx image.
    - iana portlist update.
    - Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
    - Fix escape more characters when printing an RR type with an unquoted
      string.
    - Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
    - Fix unbound-control test so it counts the new flush_negative output,
      also answers the _ta probe from testns and prints command output
      and skip a thread specific test when no threads are available.
    - Fix that ub_event has the facility to deal with callbacks for
      fast reload, doq, windows-stop and dnstap.
    - Fix fast reload test to check if pid exists before acting on it.
    - Merge #1262 from markyang92, fix build with
      'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
    - For #1262, ifdef is no longer needed.
    - Fix #1263: Exempt loopback addresses from wait-limit.
    - Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
      to allow two arguments.
    - Fix ub_event and include dnstap and win_svc headers.
    - Fix test for stat_values for wait limit defaults for localhost.
    - Fix parameter unused warning in net_help.c.
    - Fix mesh_copy_client_info to omit null contents from copy.
    - Fix comment name in the rpz nsdname test.
    - Fix nettle compile for warnings and ticket keys.
    - Fix redis_replica test for unused option defaults and log printout.
    - Fix test to speed up common.sh script kill_pid.
    - Fix to update common.sh for speed of kill_pid.
    - Update to the manpage for the fast_reload part.
    - Fix fast_reload to print chroot with config file name.
    - Fix to detect if atomic_store links in configure.
    - Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
    - Fix for print of connection type in log-replies for dot and doh.
    - Merge #1265: Fix WSAPoll.
    
    
  • release-1.23.0rc2
    Tag for Unbound 1.23.0rc2.
    
  • release-1.23.0rc1
    5eb1382f · - Tag for 1.23.0rc1. ·
    Tag for Unbound 1.23.0rc1.
    
  • debian/1.9.0-2+deb10u2_deb9u5
    a441f60a · Disable autopkgtests ·
    unbound1.9 Debian release 1.9.0-2+deb10u2~deb9u5
    
  • debian/1.9.0-2+deb10u5
    unbound Debian release 1.9.0-2+deb10u5
    
  • debian/1.13.1-1+deb11u4
    unbound Debian release 1.13.1-1+deb11u4
    
  • debian/1.22.0-1
    unbound Debian release 1.22.0-1