Unbound 1.25.1

Unbound 1.25.1

This release has a number of security fixes.

The release is signed with the OpenPGP software signing key that is
in use since Jan 1st 2026:

User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from https://nlnetlabs.nl/signing-keys .

This release consolidates security fixes for issues reported over
a period of time. There are fixes for CVE-2026-33278,
CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960,
CVE-2026-44390 and CVE-2026-44608.

Bug Fixes

• Fix CVE-2026-33278, Possible remote code execution during DNSSEC
  validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-42944, Heap overflow and crash with multiple nsid,
  cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
  Networks, for the report.
• Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
  content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
  Griffiths from 'calif.io' for the report.
• Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
  Zhang, Palo Alto Networks, for the report.
• Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
  degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
  Zhang from Palo Alto Networks, for the report.
• Fix CVE-2026-42534, Jostle logic bypass degrades resolution
  performance. Thanks to Qifan Zhang, Palo Alto Networks, for the
  report.
• Fix CVE-2026-42923, Degradation of service with unbounded NSEC3
  hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
  the report.
• Fix CVE-2026-42960, Possible cache poisoning attack while following
  delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
  and JianJun Chen, Tsinghua University, for the report.
• Fix CVE-2026-44390, Unbounded name compression in certain cases
  causes degradation of service. Thanks to Qifan Zhang, Palo Alto
  Networks, for the report.
• Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
  to Qifan Zhang, Palo Alto Networks, for the report.

Unbound 1.25.0

Unbound 1.25.0

This release has some features and a number of bug fixes.

The release is signed with the OpenPGP software signing key that is
in use since Jan 1st 2026:

User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from https://nlnetlabs.nl/signing-keys .

For cached records, the last second when they reach a lifetime of 0
is treated differently, the 0 value is expired. The client does not see
a 0 TTL value that was not zero originally.

For the mesh reply count, there are added statistics counters.
The num.queries.replyaddr_limit value notes the number of queries
removed due to replyaddr limits, and requestlist.current.replies tracks
the current amount.

With log-thread-id the Linux thread id can be logged, for easier
debugging. The contrib/gost12.patch adds ECC-GOST12 support, it was
contributed by Igor V. Ruzanov.

For DNAME TTL 0 items, that are received as 0 TTL items, their
synthesized responses can be served within a 1 second grace period.
This reduces recursion when authoritative servers set TTL 0 on DNAMEs.

The reload and fast_reload commands can change the TLS certificates
if the files are changed. The tls-protocols option allows to set
which tls protolocs are available, with "TLSv1.2 TLSv1.3" enabled
by default.

If pthread_setname or similar is available, it is used to give
descriptive names to the threads of unbound, when using pthreads.

There is a new option, iter-scrub-rrsig: 8, that limits the
number of RRSIGs for RRsets. This protects against overly
large numbers of RRSIGs. The default of 8 is the same as the
amount of signatures that the validator verifies. Thanks to
Yuxiao Wu, Tsinghua University for the report.

There is a fix for a local privilege escalation on Windows.
It fixes the OpenSSL init calls, to not load openssl.cnf for
Windows. Thanks to Hao Huang and CrisprXiang with Fudan University
for the report.

There is a fix to elide SVCB and HTTPS records that match
the private-address filter. It fixes a DNS Rebinding Bypass
via SVCB/HTTPS Records in Unbound. Thanks to Kunta Chu, School
of Software, Tsinghua University, Taofei Guo, Peking
University, and Jianjun Chen, Institute for Network Sciences
and Cyberspace, Tsinghua University for the report.

There is a fix to to ignore out-of-zone DNAME records for
CNAME synthesis. Thanks to Yuxiao Wu, Yiyi Wang, Zhang Chao,
Baojun Liu, and Haixin Duan from Tsinghua University.

There is a fix to check for invalid http content length and chunk
size, and to check the RR rdata field lengths when decompressing and
inserting RRs from an authority zone transfer. This stops
large memory use and heap buffer-overflow read errors. Thanks
to Haruto Kimura (Stella) for the report.

In addition, there is a fix to improve RFC7766 compliance for
responses over TCP. When the client sends EOF over TCP, it stops
pending replies and closes immediately. Thanks to Yuxiao Wu,
Tsinghua University for the report.

There is a fix for the Jiggle Attack. The server is fixed to answer
with errors for error cases, and does not stay silent.
In addition, the error replies do not contain parts of the
incoming query. This is more conformant, stops reflection
and stops it as a covert channel. Thanks to Yuqi Qiu and
Xiang Li, Nankai University (AOSP Lab) for the report.
In addition, thanks to Qifan Zhang, Palo Alto Networks, for
noting the fingerprinting possibility, that is also fixed
with this.

There is a fix for EDNS extended RCODE reflection. This fixes that
the server does not echo extended rcode values after class
chaos queries. Thanks to Qifan Zhang, Palo Alto Networks
for the report.

There is a fix for iterator RCODE handling of YXDOMAIN. This fixes
that the server only accepts YXDOMAIN answers that contain
a DNAME record. This stops bad answers, and checks that
the authoritative server gives correct replies.
Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for a missing bounds check for decompressing dnames
for downloaded authority zones. This fixes that the server
could end up with malformed zone content after receiving
truncated packet contents from an AXFR. In addition, the
domain names in the SOA rdata are checked before the
authority code picks up the zone serial. Thanks to Halil Oktay
for the report.

There is a fix for upstream TLS connections, so that they are
not reused as TLS connections for a different name, at the same
IP. This checks that the tls name is correct when reusing the
upstream connections. Thanks to TaoFei Guo from Peking University
and JianJun Chen from Tsinghua University for the report.

There is a fix that signatures are not allowed with revoked
dnskeys. This adheres to the processing rules from RFC5011.
Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for checking that a DNAME with an unsigned CNAME has
a correct match. This stops that for certain zone configurations an
unchecked unsigned CNAME could get secure status. Thanks to Qifan
Zhang, Palo Alto Networks for the report.

There is a fix for the handling of wildcard CNAMEs in the chain
of trust. An improper wildcard in the chain of trust would send the
retries to the wrong upstream. Also it could label the step in the
chain of trust as secure, when it was not. Thanks to Qifan Zhang,
Palo Alto Networks for the report.

Compared to the rc1, the release contains a fix for a buffer overrun
in the DoQ code.

Features

• Merge #1337: 0 TTL cached replies and some TTL behavior changes.
• TTL change: Cached records that reach TTL 0 are expired.
• TTL change: TTL 0 upstream answers are no longer cached by
  cachedb, as they should.
• TTL change: 'serve-expired-reply-ttl' is now capped by the original
  TTL value of the record to try and make some sense when replying
  with expired records.
• TTL change: TTL decoding was updated to adhere to RFC8767 section 4
  where a 'set high-order bit' means the value is positive instead of
  0.
• Merge #1374: Mesh reply counters.
  This adds the statistics num.queries.replyaddr_limit and
  requestlist.current.replies.
• Introduce the 'log-thread-id' configuration option to manage logging
  the system-wide Linux thread ID for easier debugging with system
  tools.
• Fix #1389: [FR] replacement with ECC-GOST12 according to RFC9558.
  Patch contributed by Igor V. Ruzanov, available in
  contrib/gost12.patch.
• Merge #1411: Allow synthesized DNAME TTL=0 to be served from cache
  within grace period. The responses are served from cache within
  a 1-second grace period. Reduces recursion when authoritative
  servers return DNAME with TTL=0 (RFC 2308). Response
  still returns TTL=0 to clients. Adds a test for it.
• Fix #278: DoT: complete unbound restart required on certificate
  renew. Fix so that a reload checks if the files have changed, and
  if so, reload the contexts. Also for DoH, DoQ and outgoing DoT.
• For #278: fast_reload can reload tls-service-key, tls-service-pem
  and tls-cert-bundle changes. It checks the modification time of
  the tls-service-key and tls-service-pem files for update.
• Fix to allow the control-interface config to use ip@port notation.
• Fix to shorten RRSIG count in scrubber, this protects against
  an overly large number of RRSIGs. It can be configured with
  iter-scrub-rrsig: 8, it has default 8. Thanks to Yuxiao Wu,
  Tsinghua University for the report.
• Introduce new 'tls-protocols' configuration option that specifies
  which of the supported TLS protocols will be used.
  TLSv1.2 is again enabled by default, but can be selectively turned
  off if desired (related to #1303).
• Merge #1400: Support pthread_setname_np. Adds support for
  pthread_setname_np and variants to set the name on spawned threads
  for easier debugging/monitoring.

Bug Fixes

• Update README.man with clearer text.
• unbound.conf manpage: explicitly mention RFC6891.
• Fix to remove configure~ from release tarballs.
• Merge #1352 from Petr Vaganov: pythonmod: fix HANDLE_LEAK on
  pythonmod_init.
• For #1352, align with the current Python<3 code.
• Merge #1350 from Maryse47: unbound.service.in: allow CAP_NET_ADMIN.
• For #1350, same CAP_NET_ADMIN change for unbound_portable.service.in
  as well.
• Avoid calling mesh_detect_cycle_found() when there is no mesh state
  to begin with.
• Test for nonstring attribute in configure and add
  nonstring attribute annotations.
• Merge #1349: Fix #1346: [FR] Please allow back TLS 1.2.
• Merge #1351: ac_cv_func_malloc_0_nonnull for malloc(0) check.
• Rebuild configure script from its sources.
• Fix modstack_call_init to use the original string when it has
  changed, to call modstack_config with. And skip the changed name
  in the string correctly. Thanks to Jan Komissar.
• Neaten up the change in acx_nlnetlabs.m4 to version 49.
• Fix fr_atomic_copy_cfg.
• Rebuild configure script from its sources.
• Fix #1353: auth-zone can not use empty label for $ORIGIN when
  http download.
• Fix #1344: module conf 'respip dns64 validator cachedb iterator'
  is not known to work.
• Fix for #1344: Fix that respip and dns64 can be enabled at the
  same time, the client info is copied for attach_sub and add_sub
  calls. That makes respip work on dns64 synthesized answers, and
  also makes RPZ work with DNS64. The order for the modules is
  module-config: "respip dns64 validator iterator".
• Fix that https is set up as enabled when the port is listed in
  interface-automatic-ports. Also for the set up of quic it is
  enabled when listed there.
• Note 'respip' and 'dns64' module order in the unbound.conf
  man page.
• Note clearly that 'wait-limit: 0' disables all wait limits.
• 'wait-limit-cookie: 0' can now disable cookie valida...

Unbound 1.24.2

This security release has additional fixes for CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt

Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
their respective address records) from replies mitigating the possible
poison effect.

Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
RRSets (and their respective address records) from YXDOMAIN and
non-referral nodata replies as well, mitigating the possible poison
effect.

We would like to thank TaoFei Guo from Peking University, Yang Luo and
JianJun Chen from Tsinghua University for discovering and responsibly
disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.

Bug Fixes:

• Additional fix for CVE-2025-11411 (possible domain hijacking attack),
  to include YXDOMAIN and non-referral nodata answers in the mitigation
  as well, reported by TaoFei Guo from Peking University, Yang Luo and
  JianJun Chen from Tsinghua University.

Unbound 1.24.1

This security release fixes CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt

We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
Duan from Tsinghua University for discovering and responsibly disclosing
the vulnerability.

Bug Fixes:

• Fix CVE-2025-11411 (possible domain hijacking attack), reported by
  Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua
  University.

Unbound 1.24.0

Unbound 1.24.0

This release features increased defaults, num.valops statistic,
unbound-control cache_lookup, and bug fixes.

The default value increase for num-queries-per-thread is to make
saturation of the task queue more resource intensive and less
practical. Thanks to Shiming Liu, Network and Information Security
Lab, Tsinghua University for the report.

The default value increase for so-sndbuf is to mitigate a cross-layer
issue where the UDP socket send buffers are exhausted waiting for
ARP/NDP resolution. Thanks to Reflyable for the report.

To help the server start more easily, the setsockopt for sndbuf buffer
size prints a warning instead of a failure to start the server if it
can not set the buffer size.

Various cache -slabs options are auto-configured if not specified
in the config file. It uses a power of two close to the number of
threads. When the option is specified in the config file that value
is used instead.

An extra statistic is added to track the number of signature validation
operations by the validator, num.valops.

The unbound-control cache_lookup command prints cache information for
names in the domain given. This prints similar to dump_cache, but only
names under the zone(s) specified. Because of that it locks the caches
for a much shorter time, and this is good for server responsiveness.

The sock-queue-timeout option is adapted to work on FreeBSD as well
as Linux.

Features

• Increase default to num-queries-per-thread: 2048, when unbound is
  compiled with libevent. It makes saturation of the task queue more
  resource intensive and less practical. Thanks to Shiming Liu,
  Network and Information Security Lab, Tsinghua University for the
  report.
• Merge #1276: Auto-configure '-slabs' values.
• Change default for so-sndbuf to 1m, to mitigate a cross-layer
  issue where the UDP socket send buffers are exhausted waiting
  for ARP/NDP resolution. Thanks to Reflyable for the report.
• Adjusted so-sndbuf default to 4m.
• Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
  track the number of signature validation operations.
  Adds 'num.valops' to extended statistics.
• Fix #1303: [FR] Disable TLSv1.2.
• unbound-control cache_lookup prints the cached rrsets
  and messages for those.
• unbound-control cache_lookup +t allows tld and root names. And
  subnet cache contents are printed.
• Fix #1319: [FR] zone status for Unbound auth-zones.

Bug Fixes

• Fix #1272: assertion failure testcode/unitverify.c:202.
• Merge #1275: Use macros for the fr_check_changed* functions.
• Fix for parallel build of dnstap protoc-c output.
• Fix dnstap to use protoc.
• Sync unbound and unbound-checkconf log output for unknown modules.
• Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
  in 1.23.0, but worked in 1.22.0.
• Fix #1283: Unsafe usage of atoi() while parsing the configuration
  file.
• Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
  broken auth zones that include unsigned out of zone (above apex)
  data. Could lead to hang while trying to prove a wildcard answer.
• Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
  by adding a log_assert() to safeguard future development.
• Fix #1282: log-destaddr fail on long ipv6 addresses.
• Fix config of slab values when there is no config file.
• Fix for cname chain length with qtype ANY and qname minimisation.
  Thanks to Jim Greenwood from Nominet for the report.
• Merge #1285: RST man pages. It introduces restructuredText man pages
  to sync the online and source code man page documentation.
  The templated man pages (*.in) are still part of the repo but
  generated with docutils from their .rst counterpart.
  Documentation on how to generate those (mainly for core developers)
  is in README.man.
• Add more checks about respip in unbound-checkconf.
  Also fixes #310: unbound-checkconf not reporting RPZ configuration
  error.
• Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
  program.
• Small manpage corrections for the 'disable-dnssec-lame-check' option.
• Fix unbound-anchor certificate file read for line ends and end of
  file.
• Fix comment for the dname_remove_label_limit_len function.
• iana portlist updated.
• Fix bitwise operators in conditional expressions with parentheses.
• Fix conditional expressions with parentheses for bitwise and.
• Fix header return value description for skip_pkt_rrs and
  parse_edns_from_query_pkt.
• Fix to check control-interface addresses in unbound-checkconf.
• Fix #1295: Windows 32-bit binaries download seems to be missing dll
  dependency.
• Fix for consistent use of local zone CNAME alias for configured auth
  zones. Now it also applies to downstream configured auth zones.
• Fix #1296: DNS over QUIC depends on a very outdated version of
  ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
• Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
• Fix rrset cache create allocation failure case.
• Fix #1293: EDE 6 is attached to insecure cached answers when client
  sends the CD bit.
• Fix #1247: forward-first: ssl handshake failed on root nameservers.
• For #1247, turn off fetch-policy for delegation when looking into
  parent side name servers that may not update the addresses and hit
  NXNS limits.
• For #1247, replay test (added tcp_transport to
  outnet_serviced_query).
• Merge #1299: Fix typos.
• Generate ltmain.sh and configure again.
• Fix #1300: Is 'sock-queue-timeout' a linux only feature.
• For #1300: implement sock-queue-timeout for FreeBSD as well.
• Fix layout of comm_point_udp_ancil_callback.
• Fix to improve dnstap discovery on Fedora.
• Fix detection of SSL_CTX_set_tmp_ecdh function.
• For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
• For #1289: test num.valops in existing stat_values.tdir.
• For #1289: add num.valops in the unbound-control man page.
• Add unit tests for non-ecs aggregation.
• Fix to not set rlimits in the unit tests.
• iana portlist updated.
• Redis checks for server down and throttles reconnects.
• Fix redis cachedb module gettimeofday init failure.
• Fix testbound test program to accurately output packets from hex.
• Fix #1309: incorrectly reclaimed tcp handler can cause data
  corruption and segfault.
• Fix to use assertions for consistency checks in #1309 reclaimed
  tcp handlers.
• Fix edns subnet, so that the subquery without subnet is stored in
  global cache if the querier used 0.0.0.0/0 and the name and address
  do not receive subnet treatment. If the name and address are
  configured for subnet, it is stored in the subnet cache.
• Fix dname_str for printout of long names. Thanks to Jan Komissar
  for the fix.
• Fix that edns-subnet failure to create a subquery errors as
  servfail, and not formerror.
• Fix to whitespace in dname_str.
• Fix that unbound-control dump_cache releases the cache locks
  every so often, so that the server stays responsive.
• Fix to remove debug from cache_lookup.
• Fix to unlock cache_lookup message for malformed records.
• Fix to increase responsiveness of dump_cache.
• Fix to decouple file descriptor activity and cache lookups in
  dump_cache.
• Fix cache_lookup subnet printout to wipe zero part of the prefix.
• Fix cache_lookup subnet print to not print messages without rrsets
  and perform in-depth check on node in the addrtree.
• Fix to check for extraneous command arguments for unbound-control,
  when the command takes no arguments but there are arguments present.
• Fix #1317: Unbound starts too early. Add
  Wants=network-online.target under [Unit] in unbound.service.
• Fix for #1317: Fix contrib/unbound.service comment path for
  systemd network configuration.
• For #1318: Fix compile warnings for DoH compile on windows.
• Fix sha1 enable environment variable in test code on windows.
• Fix that the zone acquired timestamp is set after the
  zonefile is read.
• Fix ports workflow to install expat for macos.
• Fix unbound-control dump_cache for double unlock of lruhash table.
• Fix setup_listen_sslctx warning for nettle compile.
• Limit the number of consecutive reads on an HTTP/2 session.
  Thanks to Gal Bar Nahum for exposing the possibility of infinite
  reads on the session.
• Fix for #1324: Fix to free edns options scratch in ratelimit case.
• Fix #1235: Outdated Python2 code in
  unbound/pythonmod/examples/log.py.
• Fix #1324: Memory leak in 'msgparse.c' in
  'parse_edns_options_from_query(...)'.
• Fix indentation in tcp-mss option parsing.
• For #1328: make depend.
• Update documentation for using "SET ... EX" in Redis.
• Document max buffer sizes for Redis commands.
• Update man pages.
• Fix #1332: CNAME chains are sometimes not followed when RPZs add a
  local CNAME rewrite.
• Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
• Small debug output improvement when attaching an EDE.
• Fix to print warning for when so-sndbuf setsockopt is not granted.
• Too many quotes for the EDE message debug printout.

Unbound 1.23.1

This security release fixes the Rebirthday Attack CVE-2025-5994.

This re-opens up resolvers to a birthday paradox, for EDNS client subnet
servers that respond with non-ECS answers. It only affects Unbound when
compiled with --enable-subnet, and subnetmod is enabled with config
options that send ECS information to upstream servers.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt

We would like to thank Xiang Li (AOSP Lab, Nankai University) for
discovering and responsibly disclosing the vulnerability.

Bug Fixes:

• Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
  AOSP Lab Nankai University.

Unbound 1.23.0

Unbound 1.23.0

This release features changed defaults, fast reload, redis replica,
DNS Error Reporting, and bug fixes.

The fast reload is a feature that is listed as experimental. With
unbound-control fast_reload the server can read the new config in
a thread, and when done only briefly pauses the server to update the
settings. This uses double memory, for like zones from disk or config
that is loaded. It only pauses the server, for like less than a second,
so DNS service is not interrupted by the reload of config. A lot of
config items can be changed, but not all. It has options to print
more information, or memory usage, and there is a list of config
options in the man page.

The redis replica support allows for a redis backend to use a redis
replica. The read commands are sent to the redis replica host, while
the write commands are sent to the redis server. So with several
replicas there can be more readers that all write to the redis server.

With DNS error reporting, RFC9567, enabled with
dns-error-reporting: yes, this uses the error reporting agent to send
failure reports to. The number of error reporting queries is output in
the statistics as num.dns_error_reports.

Some defaults are changed in this release. The resolver.arpa. and
service.arpa. zones are added to the default locally served zones,
this can be disabled with a nodefault local zone. The default for
max-global-quota has changed to 200, after operational feedback.
The defaults from RFC8767 are used by serve-expired-client-timeout
on 1800 milliseconds and serve-expired-ttl on 86400 seconds. If
Unbound is compiled with edns subnet, the default for module-config
is no longer altered, so that compilation with subnet does not
interfere when the server does not use subnet. When edns subnet needs
to be enabled, module-config: "subnetcache validator iterator" should
be explicitly set as configuration in the server: section.

If edns subnet is enabled, the default for
module-config is no longer altered, so that compilation with subnet
does not interfere when the server does not use subnet. When edns subnet
is in use, also module-config: "subnetcache validator iterator" should
be set as configuration in the server: section.

The RC2 has fixes for building on Solaris and portability to Windows,
and fixes a memory leak for DoH.

Features

• Increase the default of max-global-quota to 200 from 128 after
  operational feedback. Still keeping the possible amplification
  factor (CAMP related issues) in the hundreds.
• Fix #1175: serve-expired does not adhere to secure-by-default
  principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
• For #1175, the default value of serve-expired-ttl is set to 86400
  (1 day) as suggested by RFC8767.
• For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
  LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
• Add resolver.arpa and service.arpa to the default locally served
  zones.
• Merge #1042: Fast Reload. The unbound-control fast_reload is added.
  It reads changed config in a thread, then only briefly pauses the
  service threads, that keep running. DNS service is only interrupted
  briefly, less than a second.
• Merge #1019: Redis read-only replica support.
  Introduces new 'redis-replica-*' options for the Redis cache backend.
• Merge #902: DNS Error Reporting (RFC 9567). Introduces new
  configuration option 'dns-error-reporting' and new statistics for
  'num.dns_error_reports'.

Bug Fixes

• Fix #1154: Tag Incorrectly Applying for Other Interfaces
  Using the Same IP. This fix is not for 1.22.0.
• Fix #1163: Typos in unbound.conf documentation.
• Merge #1159: Stats for discard-timeout and wait-limit.
• Add test case for #1159.
• Some clean up for stat_values.test.
• Merge #1170 from Melroy van den Berg, Fix chroot manpage
  description.
• Merge #1157 from Liang Zhu, Fix heap corruption when calling
  ub_ctx_delete in Windows.
• Fix redis that during a reload it does not fail if the redis
  server does not connect or does not respond. It still logs the
  errors and if the server is up checks expiration features.
• Merge #1167: Makefile.in: fix occasional parallel build failures
  around bison rule.
• Fix SETEX check during Redis (re)initialization.
• Fix for the serve expired DNSSEC information fix, it would not allow
  current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.
• Fix to log redis timeout error string on failure.
• More descriptive text for 'harden-algo-downgrade'.
• Complete fix for max-global-quota to 200.
• Fix #1183: the data being used is released in method
  nsec3_hash_test_entry.
• Fix for #1183: release nsec3 hashes per test file.
• Merge #1169 from Sergey Kacheev, fix: lock-free counters for
  auth_zone up/down queries.
• Fix comparison to help static analyzer.
• For #1175, update serve-expired tests.
• Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
• Merge #1197: dname_str() fixes.
• Merge #1198: Fix log-servfail with serve expired and no useful cache
  contents.
• Safeguard alias loop while looking in the cache for expired answers.
• Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
• Fix typo in log_servfail.tdir test.
• Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
• Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
• Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
• Fix #1213: Misleading error message on default access control causing
  refuse.
• Merge #1221: Consider auth zones when checking for forwarders.
• Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
• Create the quic SSL listening context only when needed.
• Fix compile of interface check code when dnscrypt or quic is
  disabled.
• Fix encoding of RR type ATMA.
• Fix to check length in ATMA string to wire.
• Merge #1229: check before use daemon->shm_info.
• Use the same interface listening port discovery code for all needed
  protocols.
• Port to string only when needed before getaddrinfo().
• Do not open unencrypted channels next to encrypted ones on the same
  port.
• Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
  set.
• Merge #1220 from Petr Menšík, Add unbound members group access to
  control key.
• Make the default value of module-config "validator iterator"
  regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.
• Fix #986: Resolving sas.com with dnssec-validation fails though
  signed delegations seem to be (mostly) correct.
• Consider reconfigurations when calculating the still_useful_timeout
  for servers in the infrastructure cache.
• Fix static analysis report about unhandled EOF on error conditions
  when reading anchor key files.
• Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
  values.
• Fix hash calculation for cachedb to ignore case. Previously, cached
  records there were only relevant for same case queries (if not
  already in Unbound's internal cache).
• Merge #1243: Do not shadow tm on line 236.
• Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
  Add --help output description for the SOURCE_DATE_EPOCH variable.
• Fix 'unbound-control flush_negative' when reporting removed data;
  reported by David 'eqvinox' Lamparter.
• Fix representation of types GPOS and RESINFO, add rdf type for
  unquoted str.
• Fix #1251: WSAPoll first argument cannot be NULL.
• Fix for windows compile create ssl contexts.
• Fix print of RR type NSAP-PTR, it is an unquoted string.
• Fix #1253: Cache entries fail to be removed from Redis cachedb
  backend with unbound-control flush* +c.
• Fix for #1253: Fix for redis cachedb backend to expect an integer
  reply for the EXPIRE command.
• Fix #1254: send failed: Socket is not connected and
  remote address is 0.0.0.0 port 53.
• Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
• For #1255, for ios use an older expat version that does not require
  C++11 language features.
• For #1255, for ios disable building tests that require C++11.
• For #1255, for ios try the latest expat version again.
• Fix unit test dname log printout typecast.
• Fix for ci test, expat is installed on the osx image.
• iana portlist update.
• Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
• Fix escape more characters when printing an RR type with an unquoted
  string.
• Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
• Fix unbound-control test so it counts the new flush_negative output,
  also answers the _ta probe from testns and prints command output
  and skip a thread specific test when no threads are available.
• Fix that ub_event has the facility to deal with callbacks for
  fast reload, doq, windows-stop and dnstap.
• Fix fast reload test to check if pid exists before acting on it.
• Merge #1262 from markyang92, fix build with
  'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
• For #1262, ifdef is no longer needed.
• Fix #1263: Exempt loopback addresses from wait-limit.
• Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
  to allow two arguments.
• Fix ub_event and include dnstap and win_svc headers.
• Fix test for stat_values for wait limit default...

Unbound 1.22.0

Unbound 1.22.0

This release has an option to harden against unverified glue, it
is enabled with harden-unverified-glue: yes. It was contributed
by Karthik Umashankar from Microsoft. This protects Unbound against
bad glue, that is out of zone, by performing a lookup for it.
Because it uses the original information as a last resort if nothing
works, it should not give lookup failures, and add protection.

There are options to configure the scrubbing for NS records and
the CNAME scrubbing and the max global quota lookup limit from
previous security fix releases. They can be configured with the
options iter-scrub-ns, iter-scrub-cname and max-global-quota.

For redis use, with cachedb, it is possible to specify the
timeout for the initial connection separately from the timeout
for commands. With the options redis-command-timeout: 20 and
redis-connect-timeout: 200 they can be set separately, for
a longer connect attempt, but a short command timeout to keep
resolution faster.

It is possible to log with ISO8601 format with log-time-iso: yes
this also logs time in milliseconds. Useful if the server writes to
file, syslog may have its own format.

DNS over QUIC is support is added, if compiled with libngtcp2 and
with the openssl+quic that it uses. Use --with-libngtcp2 for that,
and enable it with quic-port: 853. There is a post about it
on https://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is to
appear after the release].

Features

• Add iter-scrub-ns, iter-scrub-cname and max-global-quota
  configuration options.
• Merge patch to fix for glue that is outside of zone, with
  harden-unverified-glue, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
• Add redis-command-timeout: 20 and redis-connect-timeout: 200,
  that can set the timeout separately for commands and the
  connection set up to the redis server. If they are not
  specified, the redis-timeout value is used.
• Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
  This adds the option log-time-iso: yes that logs in ISO8601
  format.
• Merge #871: DNS over QUIC. This adds quic-port: 853 and
  quic-size: 8m that enable dnsoverquic, and the counters
  num.query.quic and mem.quic in the statistics output.
  The feature needs to be enabled by compiling with libngtcp2,
  with --with-libngtcp2=path and libngtcp2 needs openssl+quic,
  pass that with --with-ssl=path to compile unbound as well.

Bug Fixes

• Fix #1126: unbound-control-setup hangs while testing for openssl
  presence starting from version 1.21.0.
• Add cross platform freebsd, openbsd and netbsd to github ci.
• Fix for char signedness warnings on NetBSD.
• Fix #1127: error: "memory exhausted" when defining more than 9994
  local-zones.
• Fix documentation for cache_fill_missing function.
• Fix #1130: Loads of logs: "validation failure: key for validation
  . is marked as invalid because of a previous" for
  non-DNSSEC signed zone.
• Fix that when rpz is applied the message does not get picked up by
  the validator. That stops validation failures for the message.
• Fix that stub-zone and forward-zone clauses do not exhaust memory
  for long content.
• Unit test for auth zone transfer TLS, and TLS failure.
• Fix to print port number in logs for auth zone transfer activities.
• Merge #1132: b.root renumbering.
• Fix for #1132, adjusted unit test for change in the test file.
• Fix for #1132, comment about adjusted copy of reference check.
• Merge #1135: Add new IANA trust anchor.
• Fix config file read for dnstap-sample-rate.
• Fix alloc-size and calloc-transposed-args compiler warnings.
• Fix comment to not trigger doxygen unknown command.
• Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
  enabled (RFC9077).
• Add unit test for ttl limit for aggressive nsec.
• Fix and add comments in testdata/val_negcache_ttl.rpl.
• Merge #1140: Fix spelling mistake in comments.
• Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
  CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
  already disabled.
• Fix dns64 with prefetch that the prefetch is stored in cache.
• Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
• More clear text for prefetch and minimal-responses in the
  unbound.conf man page.
• Merge #1143: Fix cache update when serve expired is used. Expired
  records are favored over resolution and validation failures when
  serve-expired is used.
• Fix negative cache NSEC3 parameter compares for zero length NSEC3
  salt.
• Fix unbound dnstap socket test program analyzer warnings about
  unused variable assignments and variable initialization.
• Fix #1149: unbound-control-setup hangs sometimes depending on
  the openssl version.
• Fix #1128: Cannot override tcp-upstream and tls-upstream with
  forward-tcp-upstream and forward-tls-upstream.
• Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
  prefetch ttl for messages after a CNAME with short TTL.
• Fix for dnstap compile of doqclient with doq disabled.
• Fix cookie_file test sporadic fails for time change during
  the test.
• Fix add reallocarray to alloc stats unit test, and disable
  override of strdup in unbound-host, and the result of config
  get option is freed properly.
• Fix to disable detection of quic configured ports when quic is
  not compiled in.
• Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
• Fix contrib/aaaa-filter-iterator.patch for change in call
  signature for cache_fill_missing.
• Fix to display warning if quic-port is set but dnsoverquic is not
  enabled when compiled.
• Fix dnsoverquic to extend the number of streams when one is closed.
• Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
• Fix for dnsoverquic and dnstap to use the correct dnstap
  environment.

Unbound 1.21.1

This security release fixes CVE-2024-8508.

A vulnerability has been discovered in Unbound when handling replies
with very large RRsets that Unbound needs to perform name compression
for.

Malicious upstreams responses with very large RRsets can cause Unbound
to spend a considerable time applying name compression to downstream
replies. This can lead to degraded performance and eventually denial of
service in well orchestrated attacks.

The vulnerability can be exploited by a malicious actor querying Unbound
for the specially crafted contents of a malicious zone with very large
RRsets.
Before Unbound replies to the query it will try to apply name
compression which was an unbounded operation that could lock the CPU
until the whole packet was complete.

Unbound version 1.21.1 introduces a hard limit on the number of name
compression calculations it is willing to do per packet.
Packets that need more compression will result in semi-compressed
packets or truncated packets, even on TCP for huge messages, to avoid
locking the CPU for long.

This change should not affect normal DNS traffic.

We would like to thank Toshifumi Sakaguchi for discovering and
responsibly disclosing the vulnerability.

Bug Fixes:

• Fix CVE-2024-8508, unbounded name compression could lead to denial of
  service.

Unbound 1.21.0

Unbound 1.21.0

This release has a fix for the CAMP and CacheFlush issues. They have a
low severity for Unbound, since it does not affect Unbound so much.

The Compositional Amplification (CAMP) type of attacks can lead to DoS
attacks against DNS servers. In Unbound legitimate client requests to
the resolvers under typical workload are not directly affected by CAMP
attacks. However we introduce a global quota for 128 outgoing packets
per query (and it's subqueries) that is never reset to prevent the
combination of CAMP with other amplification attacks in the future. We
would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin
Tanir from NetSec group, ETH Zurich for discovering and notifying us
about the issue.

The CacheFlush type of attacks (NSCacheFlush, CNAMECacheFlush) try to
evict cached data by utilizing rogue zones and a steady rogue stream to
a resolver. Based on the zone, the stream, the configured cache size
and the legitimate traffic, Unbound could experience a degradation of
service if a useful entry is evicted and Unbound needs to resolve again.
As a mitigation to the NSCacheFlush attack Unbound is setting a limit
of 20 RRs in an NS RRset. We would like to thank Yehuda Afek, Anat
Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and
Reichman University) for discovering and notifying us about the issue.

Other fixes in this release are bug fixes. Also the unbound control
commands that flush the cache can clear both the memory and cachedb
module cache. The ipset module can use BSD pf tables. The new option
dnstap-sample-rate: 100 can be used to log 1/N messages, for use in
high volume server environments where the log server does not keep up.

The new DNSSEC key for the root, 38696 from 2024 has been added. It is
added to the default root keys in unbound-anchor. The content can be
inspected with unbound-anchor -l. Older versions of Unbound can keep
up with the root key with auto-trust-anchor-file that has RFC5011
key rollover. Also unbound-anchor can fetch the keys from the website
with a certificate if needed.

For cookie secrets, it is possible to perform rollover. The file
with cookie secret in use and the staging secret is configured
with cookie-secret-file. With the remote control the rollover can be
performed, add_cookie_secret, activate_cookie_secret, drop_cookie_secret
and print_cookie_secrets can be used for that.

Compared to the RC1, the release has a fix for module loading on Windows,
and a spelling correction.

Features

• Fix #1071: [FR] Clear both in-memory and cachedb module cache with
  unbound-control flush* commands.
• Fix #144: Port ipset to BSD pf tables.
• Add dnstap-sample-rate that logs only 1/N messages, for high volume
  server environments. Thanks Dan Luther.
• Add root key 38696 from 2024 for DNSSEC validation. It is added
  to the default root keys in unbound-anchor. The content can be
  inspected with unbound-anchor -l.
• Merge #1090: Cookie secret file. Adds
  cookie-secret-file: "unbound_cookiesecrets.txt" option to store
  cookie secrets for EDNS COOKIE secret rollover. The remote control
  add_cookie_secret, activate_cookie_secret and drop_cookie_secret
  commands can be used for rollover, the command print_cookie_secrets
  shows the values in use.

Bug Fixes

• Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco
  Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
• Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,
  Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
  University and Reichman University).
• Merge #1062: Fix potential overflow bug while parsing port in
  function cfg_mark_ports.
• Fix for #1062: declaration before statement, avoid print of null,
  and redundant check for array size.
• Fix to squelch udp connect errors in the log at low verbosity about
  invalid argument for IPv6 link local addresses.
• Fix when the mesh jostle is exceeded that nameserver targets are
  marked as resolved, so that the lookup is not stuck on the
  requestlist.
• Add missing common functions to tdir tests.
• Merge #1070: Fix rtt assignement for low values of
  infra-cache-max-rtt.
• Merge #1069: Fix unbound-control stdin commands for multi-process
  Unbounds.
• Fix unbound-control commands that read stdin in multi-process
  operation (local_zones_remove, local_zones, local_datas_remove,
  local_datas, view_local_datas_remove, view_local_datas). They will
  be properly distributed to all processes. dump_cache and load_cache
  are no longer supported in multi-process operation.
• Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir
  now checks both single and multi process/thread operation.
• Merge #1073: fix null pointer dereference issue in function
  ub_ctx_set_fwd.
• Fix to print a parse error when config is read with no name for
  a forward-zone, stub-zone or view.
• Fix for parse end of forward-zone, stub-zone and view.
• Fix for #1064: Fix that cachedb expired messages are considered
  insecure, and thus can be served to clients when dnssec is enabled.
• Fix #1059: Intermittent DNS blocking failure with local-zone and
  always_nxdomain. Addition of local_zones dynamically via
  unbound-control was not finding the zone's parent correctly.
• Fix #1064: Unbound 1.20 Cachedb broken?
• Fix unused variable warning on compilation with no thread support.
• unbound-control-setup: check openssl availability before doing
  anything, patch from Michael Tokarev.
• Update patch to remove 'command' shell builtin and update error
  text.
• Fix to enable that SERVFAIL is cached, for a short period, for more
  cases. In the cases where limits are exceeded.
• Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
• Merge #1078: Only check old pid if no username.
• Fix #1079: tags from tagged rpz zones are no longer honored after
  upgrade from 1.19.3 to 1.20.0.
• Fix for #1079: fix RPZ taglist in iterator callback that no client
  info is like no taglist intersection.
• Fix to squelch connection reset by peer errors from log. And fix
  that the tcp read errors are labeled as initial for the first calls.
• Merge #1080: AddressSanitizer detection in tdir tests and memory leak
  fixes.
• Fix memory leak when reload_keep_cache is used and num-threads
  changes.
• Fix memory leak on exit for unbound-dnstap-socket; creates false
  negatives during testing.
• Fix memory leak in setup of dsa sig.
• Fix typos for 'the the' in text.
• Fix validation for repeated use of a DNAME record.
• Add unit test for validation of repeated use of a DNAME record.
• Fix #1091: Build fails with OpenSSL >= 3.0 built with
  OPENSSL_NO_DEPRECATED.
• Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by
  adding helpful text for the Python interpreter version and allowing
  the default pkg-config unavailability error message to be shown.
• Fix pkg-config availability check in dnstap/dnstap.m4 and
  systemd.m4.
• Explicitly set the RD bit for the mesh query flags when prefetching.
  These queries have no waiting client but they need to be treated as
  recursive.
• Fix ip-ratelimit-cookie setting, it was not applied.
• Fix to remove unused include from the readzone test program.
• Fix unused variable warning in do_cache_remove.
• Fix compile warning in worker pthread id printout.
• Add unit test skip files and bison and flex output to gitignore.
• Fix to use modstack_init in zonemd unit test.
• Fix to remove unneeded linebreak in fptr_wlist.c.
• Fix compile warnings in fptr_wlist.c.
• Fix for repeated use of a DNAME record: first overallocate and then
  move the exact size of the init value to avoid false positive heap
  overflow reads from address sanitizers.
• Fix to print details about the failure to lookup a DNSKEY record
  when validation fails due to the missing DNSKEY. Also for key prime
  and DS lookups.
• Fix for neater printout for error for missing DS response.
• Fix neater printout.
• Fix #1099: Unbound core dump on SIGSEGV.
• Fix for #1099: Fix to check for deleted RRset when the contents
  is updated and fetched after it is stored, and also check for a
  changed RRset.
• Don't check for message TTL changes if the RRsets remain the same.
• Fix that validation reason failure that uses string print uses
  separate buffer that is passed, from the scratch validation buffer.
• Fixup algo_needs_reason string buffer length.
• Fix shadowed error string variable in validator dnskey handling.
• Update list of known EDE codes.
• For #773: In contrib/unbound.service.in set unbound to start after
  network-online.target. Also for contrib/unbound_portable.service.in.
• Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
• For #1103: fix to also drop mesh state reference when a h2 reply is
  dropped.
• Add RPZ tag tests in acl_interface.tdir.
• For #1102: clearer text for using interface-* options for the
  loopback interface.
• For #1103: fix to also drop mesh state reference when the discard
  limit is reached, when there is an error making a new recursion
  state and when the connection is dropped with is_drop.
• For #1103: Fix to drop mesh state reference for the http2 stream
  associated with the reply, not the currently active stream. And
  it does not remove it twice on a mesh_send_reply call. The reply
  h2_stream is NULL when not in use, for more initialisation.
• Fix dnstap wakeup, a running wakeup timer is left to expire and not
  increased, a timer is started when the dtio thread is sleeping,
  the timer set disabled when the dtio thread goes to sleep, and
  after sleep the thread checks to see if there are messages to log
  immediately.
• Merge #1110: Make fallthrough explicit for libworker.c.
• For #1110: Test for fallthrough attribute in configure and add
  fallthrough attribute an...