- Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu,

  Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University.

Author: gthess

daemon/remote.c

@@ -6176,6 +6176,7 @@ fr_atomic_copy_cfg(struct config_file* oldcfg, struct config_file* cfg,
 	COPY_VAR_ptr(ipset_name_v6);
 #endif
 	COPY_VAR_int(ede);
+	COPY_VAR_int(iter_scrub_promiscuous);
 }
 #endif /* ATOMIC_POINTER_LOCK_FREE && HAVE_LINK_ATOMIC_STORE */
 

doc/example.conf.in

@@ -196,6 +196,10 @@ server:
 	# Limit on upstream queries for an incoming query and its recursion.
 	# max-global-quota: 200
 
+	# Should the scrubber remove promiscuous NS from positive answers,
+	# protects against poison attempts.
+	# iter-scrub-promiscuous: yes
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376

doc/unbound-control.8.in

@@ -167,6 +167,7 @@ ipset,
 \fI\%tcp\-reuse\-timeout\fP,
 \fI\%tcp\-auth\-query\-timeout\fP,
 \fI\%delay\-close\fP\&.
+\fI\%iter\-scrub\-promiscuous\fP\&.
 .sp
 It does not work with
 \fI\%interface\fP and

doc/unbound-control.rst

@@ -3656,6 +3656,15 @@ Default: 200
 .UNINDENT
 .INDENT 0.0
 .TP
+.B iter\-scrub\-promiscuous: \fI<yes or no>\fP 
+Should the iterator scrubber remove promiscuous NS from positive answers.
+This protects against poisonous contents, that could affect names in the
+same zone as a spoofed packet.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
 .B fast\-server\-permil: \fI<number>\fP 
 Specify how many times out of 1000 to pick from the set of fastest servers.
 0 turns the feature off.

doc/unbound.conf.5.in

@@ -634,6 +634,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 					"RRset:", pkt, msg, prev, &rrset);
 				continue;
 			}
+			/* If the NS set is a promiscuous NS set, scrub that
+			 * to remove potential for poisonous contents that
+			 * affects other names in the same zone. Remove
+			 * promiscuous NS sets in positive answers, that
+			 * thus have records in the answer section. Nodata
+			 * and nxdomain promiscuous NS sets have been removed
+			 * already. Since the NS rrset is scrubbed, its
+			 * address records are also not marked to be allowed
+			 * and are removed later. */
+			if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
+				msg->an_rrsets != 0 &&
+				env->cfg->iter_scrub_promiscuous) {
+				remove_rrset("normalize: removing promiscuous "
+					"RRset:", pkt, msg, prev, &rrset);
+				continue;
+			}
 			if(nsset == NULL) {
 				nsset = rrset;
 			} else {

doc/unbound.conf.rst

@@ -5,6 +5,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.

iterator/iter_scrub.c

@@ -5,6 +5,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.

testdata/autotrust_init.rpl

@@ -5,6 +5,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.