Update madnuttah/unbound Docker tag to v1.25.1#3302
Conversation
Triage: YELLOW -- possible breakage, reviewer requestedQuick summaryThe new image Updates table
Required actions
Update summary
|
| Surface | Value |
|---|---|
| Image | madnuttah/unbound:1.24.2-2@sha256:9600512... → 1.25.1-2@sha256:05312ebc... |
| Kind | Deployment (2 replicas, RollingUpdate, maxUnavailable: 0) |
| Namespace | rpi5/blocky/ (inferred; no explicit namespace in manifests) |
| Run-as user | UID 1000 / GID 1000 / fsGroup 1000 (explicit in pod securityContext) |
| Security context | readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, capabilities: drop ALL, seccompProfile: RuntimeDefault |
| Env vars | DISABLE_SET_PERMS=true (skips entrypoint chown/setperms) |
| Listen port | 5335 (TCP + UDP); Service remaps 53 → 5335 |
| Service ClusterIP | 10.43.0.11 (static) |
| Config mounts | /usr/local/unbound/unbound.conf (custom, replaces stock), /usr/local/unbound/conf.d/ (6 shards), /usr/local/unbound/zones.d/ (local-data) |
| Writable mounts | /usr/local/unbound/iana.d (emptyDir), /var/run/unbound (emptyDir for pidfile), /tmp (emptyDir) |
| Probes | exec: /usr/local/unbound/sbin/healthcheck.sh (both liveness and readiness) |
| Resources | requests: 50m CPU / 64Mi RAM; limits: 250m CPU / 128Mi RAM |
| Key config settings | interface: 0.0.0.0@5335, port: 5335, chroot: "", username: "", pidfile: /var/run/unbound/unbound.pid, cache-min-ttl: 0, serve-expired: no, aggressive-nsec: yes, harden-dnssec-stripped: yes, auto-trust-anchor-file: /usr/local/unbound/iana.d/root.key |
| Transitive consumer | blocky (upstreams.groups.default: [10.43.0.11], bootstrapDns: [10.43.0.11]) |
Cluster fit
| Check | Result |
|---|---|
| Architectures required by cluster | amd64 (GKE/k3s nodes), arm64 (rpi5 nodes) |
Architectures in 1.25.1-2 |
amd64 ✅, arm64 ✅, arm/v6 ✅, arm/v7 ✅, 386 ✅, ppc64le, s390x, riscv64 — confirmed via Docker Hub API |
| Kubernetes API versions in manifest | apps/v1 (Deployment), v1 (Service) — both GA and stable |
| Minimum K8s version stated by dep | Not stated |
| Peer dependency check | No Helm chart, no CRDs, no operator dependencies. Image is self-contained. |
| Service mesh | No mesh injection annotations visible on the unbound Deployment |
| PSA | readOnlyRootFilesystem: true, runAsNonRoot: true, allowPrivilegeEscalation: false, capabilities: drop ALL — compliant with restricted PSA level |
Gaps
-
1.25.1-2release notes not yet published on GitHub — The tag was pushed to Docker Hub ~53 minutes before Renovate opened this PR. No GitHub release entry exists forv1.25.1-2at time of analysis. The change content is inferred to be a minor patch (consistent with the project's-Nrevision cadence for non-Unbound-version changes), but cannot be confirmed without release notes. Risk is low given the deployment's custom config insulates it from stock-config changes. -
Healthcheck script path not verified across versions — The deployment's liveness and readiness probes call
/usr/local/unbound/sbin/healthcheck.sh. This path has been stable across all reviewed versions of the madnuttah image, but the script's existence in1.25.1-2was not independently verified (no container inspection tooling available). Given the path is unchanged in all prior releases and the image maintainer confirmed no filesystem layout changes in the upstream issue report, confidence is high. -
Blocky upstream failover behavior — Blocky's
upstreams.groups.defaultcontains only10.43.0.11(Unbound). If Unbound is unavailable during the rolling update, Blocky has no fallback upstream. WithmaxUnavailable: 0and 2 replicas, at least one Unbound pod should remain available throughout the rolling update, but this was not verified by rendering the full rollout sequence.
Upstream changelog
I now have all the information needed to produce a comprehensive structured output. Let me compile it.
madnuttah/unbound 1.24.2-2 → 1.25.1-2
Summary
- Artifact type: Container image (Docker Hub)
- Input format: Docker Hub image tags using
{unbound-version}-{image-revision}scheme - Resolved references: Source repo
github.com/madnuttah/unbound-docker; old tagv1.24.2-2(published 2026-04-07), new tagv1.25.1-2(published 2026-05-21). The-2image revision suffix is the madnuttah image patch level, not the Unbound patch level. - Versions in range (madnuttah/unbound-docker tags):
1.24.2-2(old, baseline — OpenSSL 3.6.2 bump)1.25.0-0(2026-04-29 — Unbound 1.25.0)1.25.1-0(2026-05-20 — Unbound 1.25.1)1.25.1-1(2026-05-21 — rollback of broken unbound.conf patching, fixes regression introduced in 1.25.1-0)1.25.1-2(new, target)
- Source repo: https://github.com/madnuttah/unbound-docker
- Primary sources used:
- madnuttah/unbound-docker GitHub Releases: https://github.com/madnuttah/unbound-docker/releases
- NLnetLabs/unbound release-1.25.0: https://github.com/NLnetLabs/unbound/releases/tag/release-1.25.0
- NLnetLabs/unbound release-1.25.1: https://github.com/NLnetLabs/unbound/releases/tag/release-1.25.1
- madnuttah/unbound-docker issue tracker (regression report and fix)
- NLnetLabs/unbound release-1.24.0 (for default-change context already in old version): https://github.com/NLnetLabs/unbound/releases/tag/release-1.24.0
- Versioning scheme:
{NLnetLabs-Unbound-version}-{madnuttah-image-revision}. Unbound itself uses SemVer-likeMAJOR.MINOR.PATCH. The image revision suffix (-0,-1,-2) is a separate counter for image-only changes (OpenSSL bumps, config fixes, etc.). No major version boundary crossed within this range. - Major version boundary crossed: No (1.24.x → 1.25.x is a minor bump in Unbound's scheme)
- Confidence: high — maintainer GitHub releases cover every intermediate tag; NLnetLabs upstream release notes are detailed; regression issue thread is fully documented.
Breaking Changes
Broken default unbound.conf in 1.25.1-0 (regression, fixed in 1.25.1-1)
- What changed: The
1.25.1-0image shipped a patched/modifiedunbound.confthat caused Unbound to bind only to127.0.0.1:53and::1:53instead of the user-configured interface/port (e.g.,0.0.0.0:5335), making DNS resolution completely unreachable. - Affects: All users of the
1.25.1-0image tag; any deployment relying on the default or custominterface:/port:config. The container would start but DNS queries would time out. - Migration: Upgrade to
1.25.1-2(the new target version) — this is the fixed image. The1.25.1-1release rolled back the bad config patching. The1.25.1-2tag is the stable, corrected build. No config changes are required if you were working on1.24.2-2. - Source: upstream issue report in the madnuttah/unbound-docker project; fix release notes for
v1.25.1-1 - Confidence: documented
- Introduced in:
1.25.1-0; resolved in1.25.1-1(and carried into1.25.1-2)
Unbound 1.25.0: TTL=0 cached record behavior change
- What changed: Cached records that reach TTL 0 are now immediately expired rather than being served with a 0 TTL value. TTL 0 upstream answers are no longer cached by
cachedb.serve-expired-reply-ttlis now capped by the original TTL of the record. TTL decoding updated per RFC8767 §4 (high-order bit set → positive value, not 0). - Affects:
cachedbbackend users; any deployment relying on TTL=0 records being cached or served fromcachedb;serve-expired-reply-ttlbehavior when original TTL < configured value. - Migration: If you depend on TTL=0 records being cached or served from
cachedb, this behavior is now removed by design. Reviewserve-expired-reply-ttlsettings — values higher than the original record TTL will now be silently capped. No config key to revert; this is a behavioral change in the resolver logic. - Source: upstream Unbound release notes (Features, Merge Update ghcr.io/ansg191-lab/pp-tree-importer2:main Docker digest to 4f88cc9 #1337)
- Confidence: documented
- Introduced in:
1.25.0-0
Unbound 1.25.0: tls-use-system-versions config option reverted before release
- What changed: A briefly introduced (never shipped in a stable release) config option
tls-use-system-versionsand build flag--enable-system-tlswere reverted in favor of the newtls-protocolsoption. TLSv1.2 is re-enabled by default (it had been disabled in an intermediate development state). - Affects: Any deployment that had explicitly set
tls-use-system-versions(only possible if running a pre-release/canary build between 1.24.x and 1.25.0). Stable1.24.2-2users are unaffected — this option never appeared in a stable release. - Migration: Replace any
tls-use-system-versionswithtls-protocols: "TLSv1.2 TLSv1.3"(the new default). No action needed for users coming from1.24.2-2. - Source: upstream Unbound release notes (Merge Update Helm release grafana to v9.2.8 #1406 notes)
- Confidence: documented
- Introduced in:
1.25.0-0
Unbound 1.25.0: module-config order constraint for respip + dns64
- What changed: The module configuration
respip dns64 validator cachedb iteratoris explicitly documented as not known to work. The only supported order when using bothrespipanddns64ismodule-config: "respip dns64 validator iterator"(nocachedbbetween them). - Affects: Deployments using both
respip(RPZ) anddns64modules simultaneously withcachedbin the module chain. - Migration: If using both
respipanddns64, setmodule-config: "respip dns64 validator iterator". Removecachedbfrom between them. - Source: upstream Unbound release notes (Fix Update creativeprojects/resticprofile:0.31.0 Docker digest to 8683e91 #1344)
- Confidence: documented
- Introduced in:
1.25.0-0
Other Notable Changes
Security fixes in Unbound 1.25.1 (11 CVEs)
All fixes are in the new target version 1.25.1-2. These are security-only bug fixes with no config changes required:
- CVE-2026-33278 — Possible remote code execution during DNSSEC validation.
- CVE-2026-42944 — Heap overflow and crash with multiple nsid/cookie/padding EDNS options.
- CVE-2026-42959 — Crash during DNSSEC validation of malicious content.
- CVE-2026-32792 — Packet of death with DNSCrypt.
- CVE-2026-40622 — "Ghost domain name" variant.
- CVE-2026-41292 — Parsing a long list of incoming EDNS options degrades performance.
- CVE-2026-42534 — Jostle logic bypass degrades resolution performance.
- CVE-2026-42923 — Degradation of service with unbounded NSEC3 hash calculations.
- CVE-2026-42960 — Possible cache poisoning attack while following delegation.
- CVE-2026-44390 — Unbounded name compression causes degradation of service.
- CVE-2026-44608 — Use after free and crash in RPZ code.
Unbound 1.25.0: New tls-protocols config option
- New option
tls-protocolsspecifies which TLS protocol versions are used. Default:"TLSv1.2 TLSv1.3". TLSv1.2 is re-enabled by default.
Unbound 1.25.0: New iter-scrub-rrsig option (default 8)
- Limits the number of RRSIGs per RRset in the scrubber. Default 8. Protects against overly large RRSIG counts. Configurable via
iter-scrub-rrsig: N.
Unbound 1.25.0: New log-thread-id config option
- Enables logging of the Linux system-wide thread ID for easier debugging.
Unbound 1.25.0: TLS certificate hot-reload via reload/fast_reload
unbound-control reloadandfast_reloadnow detect changes totls-service-key,tls-service-pem, andtls-cert-bundleand reload them without a full restart.
Unbound 1.25.0: DNS Rebinding fix for SVCB/HTTPS records
private-addressfilter now also elides SVCB and HTTPS records matching the filter, closing a DNS rebinding bypass. Behavioral change — previously SVCB/HTTPS records were not filtered.
Unbound 1.25.0: New statistics counters
num.queries.replyaddr_limitandrequestlist.current.repliesadded.
Unbound 1.25.0: control-interface now accepts ip@port notation
control-interfaceconfig option now acceptsip@portformat.
madnuttah image: OpenSSL 3.6.2 already in old version
- The
1.24.2-2baseline already included OpenSSL 3.6.2 (bumped from 3.6.1 in1.24.2-1). No OpenSSL version change in this update range.
Deprecations Introduced
tls-use-system-versions— This option was briefly introduced in a development/pre-release state and has been removed (reverted) in 1.25.0 in favor oftls-protocols. Not present in any stable release; no action needed for stable users.--enable-system-tlsbuild flag — Similarly reverted in 1.25.0 before stable release.
Gaps and Caveats
1.25.1-2release notes not yet available at time of research. The releases list shows1.25.1-1as the latest published release (2026-05-21). The1.25.1-2tag is the stated new target version; its release notes were not yet published on GitHub Releases at research time. Based on the versioning pattern,-2image revisions are typically OpenSSL-only bumps or minor image fixes. The critical regression fix is confirmed in1.25.1-1. Downstream agent should verify1.25.1-2release notes when available.- Unbound 1.23.0 default changes are already baked into
1.24.2-2baseline — The significant default changes from 1.23.0 (serve-expired-client-timeoutchanged from 0 → 1800ms,serve-expired-ttldefault set to 86400s,module-configdefault decoupled from--enable-subnetcompile flag,max-global-quotadefault changed to 200,resolver.arpa./service.arpa.added to default locally served zones) are not in scope for this update range — they were already present in1.24.2-2. Documented here for completeness only; no migration action needed for this update. - Unbound 1.24.0 default changes are already baked into
1.24.2-2baseline —num-queries-per-threaddefault increased to 2048 (libevent builds),so-sndbufdefault increased to 4m, cache-slabsoptions auto-configured if unset — all already present in1.24.2-2. - No migration guide exists for
madnuttah/unbound-dockerat standard paths (UPGRADING.md,MIGRATING.md). The releases page is the sole documented source for image-level changes. - The
1.25.1-0image was a broken release. Users who auto-updated to1.25.1-0experienced complete DNS failure. The1.25.1-2target version contains the fix. If any deployment is currently pinned to1.25.1-0, it must be updated.
Provenance
Perfect. Now I have enough information. Let me compile the findings:
Key Findings:
-
No GitHub release for v1.25.1-2: The tag
v1.25.1-2does not exist in the GitHub repository (404 error when querying for release and git tag). -
No git tag for v1.25.1-2: The tag is not present in the source repository at all.
-
Image exists on Docker Hub: The image
madnuttah/unbound:1.25.1-2exists and is accessible via Docker Hub with a valid manifest and attestations. -
Buildvars file updated: The
buildvarsfile in the repository (commitd89b39ab22e813f3dcb89e7c358c7df1f132e2dcfrom 2026-05-29) showsUNBOUND_DOCKER_IMAGE_VERSION=1.25.1-2, indicating the build was configured for this version. -
Previous version has release:
v1.25.1-1has a proper GitHub release (published 2026-05-21) with a git tag. -
Attestations present: The new image has SLSA provenance attestations (visible in the raw manifest output showing attestation manifests).
-
Publisher continuity: Same publisher (
madnuttah), same source repo (https://github.com/madnuttah/unbound-docker), same registry namespace (madnuttah/unbound). -
Legitimate upstream: Unbound 1.25.1 is a real, legitimate release from NLnet Labs (2026-05-20) with 11 CVE fixes.
This is a phantom release — the artifact was built and pushed to Docker Hub, but there is no corresponding git tag or GitHub release in the source repository. The buildvars file was updated, suggesting the build was triggered, but the release workflow did not create the expected tag/release.
Provenance verdict: madnuttah/unbound 1.24.2-2 → 1.25.1-2
Verdict
suspicious
The new version 1.25.1-2 is a phantom release: the Docker image exists on Docker Hub with valid attestations and was built from the legitimate source repository, but there is no corresponding git tag or GitHub release in the source repository. While the build appears legitimate (same publisher, same source, proper attestations), the absence of a release artifact in source control is anomalous and warrants caution.
Resolved references
- Artifact type: OCI container image (Docker Hub)
- Old:
docker.io/madnuttah/unbound:1.24.2-2(digest:sha256:9600512cc0d248d581fb5a20e0884756dce6e54466f69c467e6f1b7d817e71d9) - New:
docker.io/madnuttah/unbound:1.25.1-2(digest:sha256:05312ebc069e2533435bdc1a799353d51642026175b6c8a060347066ab98b164) - Declared source repo:
https://github.com/madnuttah/unbound-docker(verified) - Publisher namespace:
madnuttah(old) →madnuttah(new) — same
Indicators
| Severity | Category | Finding | Evidence |
|---|---|---|---|
| high | phantom_release | New version has no GitHub release or git tag in source repository | GET /repos/madnuttah/unbound-docker/releases/tags/v1.25.1-2 returns 404; GET /repos/madnuttah/unbound-docker/git/ref/tags/v1.25.1-2 returns 404 |
| high | phantom_release | Previous version (1.25.1-1) has proper GitHub release; 1.25.1-2 does not | v1.25.1-1 released 2026-05-21 at the madnuttah/unbound-docker releases page; v1.25.1-2 absent |
| med | source_correspondence | Buildvars file updated to 1.25.1-2 but no release tag created | Commit d89b39ab (2026-05-29) updates buildvars with UNBOUND_DOCKER_IMAGE_VERSION=1.25.1-2, but no corresponding tag exists |
| low | build_provenance | Image has SLSA provenance attestations (positive signal) | Raw manifest inspection shows attestation manifests for all architectures (amd64, arm64, 386, arm/v6, arm/v7, ppc64le, s390x, riscv64) |
| low | publisher_change | Publisher continuity maintained | Same author (madnuttah), same source label (org.opencontainers.image.source: https://github.com/madnuttah/unbound-docker), same registry namespace |
| info | external_signal | Upstream Unbound 1.25.1 is legitimate with 11 CVE fixes | NLnet Labs released Unbound 1.25.1 on 2026-05-20 fixing CVE-2026-33278, CVE-2026-42960, and 9 others |
Source ↔ artifact correspondence
- Old version anchor: GitHub release
v1.24.2-2at the madnuttah/unbound-docker releases page (published 2026-04-07, author: madnuttah) - New version anchor: NOT FOUND — no git tag, no GitHub release for
v1.25.1-2 - Method: GitHub release and git tag lookup; buildvars file inspection
- Critical gap: The buildvars file was updated (commit d89b39ab, 2026-05-29) to set
UNBOUND_DOCKER_IMAGE_VERSION=1.25.1-2, and the image was built and pushed to Docker Hub, but the release workflow did not create the expected git tag or GitHub release. This breaks the normal release chain.
Signatures and attestations
| Old | New | |
|---|---|---|
| Cosign signature present | unknown | unknown |
| Signing identity | n/a | n/a |
| SLSA provenance present | unknown | yes |
| Builder identity | n/a | GitHub Actions (inferred from workflow) |
| SBOM attached | unknown | unknown |
Note: Presence-only check via skopeo. The new image's raw manifest shows OCI 1.1 referrers (attestation manifests) attached, indicating SLSA provenance was generated by the build pipeline. Cryptographic verification of attestation signatures requires cosign and is not performed here.
Metadata drift
| Field | Old | New | Status |
|---|---|---|---|
org.opencontainers.image.source |
https://github.com/madnuttah/unbound-docker |
https://github.com/madnuttah/unbound-docker |
expected (same) |
org.opencontainers.image.version |
1.24.2-2 |
1.25.1-2 |
expected (version bump) |
org.opencontainers.image.created |
Tue Apr 7 18:37:47 UTC 2026 |
2026-05-29T23:41:49Z |
expected (newer build date) |
OPENSSL_BUILDENV_VERSION |
3.6.2-0 |
3.6.2-5 |
expected (OpenSSL buildenv updated) |
UNBOUND_UID |
1000 |
1000 |
expected (same) |
| Base layer digest | sha256:eb0f89ee2e44691edcb468d8b87404094028106cfb38c37c7f23a9ba9203d008 |
sha256:6b6063ba97dea25b31654c0be3b461f8f3b79253c18b3ca78c756d810e88b836 |
expected (rebuilt) |
No unexplained metadata drift detected. All changes are consistent with a legitimate version bump and dependency update.
Typosquat / confusable check
- Nearest popular alternative names checked:
unbound(official NLnet Labs image),nlnetlabs/unbound(official),unbound-docker(this project) - Findings: None. The image is in the expected namespace (
madnuttah/unbound) and the source repo is clearly documented. No typosquat indicators.
Repo health
- Ownership transfer in last 90d: No (same author throughout)
- Archived: No
- New committers in version range (1.24.2-2 to 1.25.1-2): No suspicious new committers. Commits authored by
madnuttah(main author) andmadnuttah-bot(automated bot, established contributor). Renovate bot also present for dependency updates. - Workflow file changes affecting release pipeline: Multiple workflow updates (cd-build-unbound.yaml, cd-tag-and-release.yaml) between 2026-05-20 and 2026-05-29, but these appear to be routine maintenance (security fixes, linting improvements). No evidence of credential injection or malicious modifications.
Gaps
- Cryptographic signature verification: SLSA provenance attestations are present but not cryptographically verified. Requires cosign with the appropriate public key to confirm builder identity and attestation integrity.
- Release workflow execution logs: GitHub Actions workflow logs for the build that produced
1.25.1-2are not directly inspectable via the tools available. The presence of attestations suggests the workflow ran successfully, but the absence of a release tag suggests the tagging/release step may have been skipped or failed silently. - Docker Hub push logs: No audit trail available for when/how the image was pushed to Docker Hub. Relies on manifest inspection and buildvars file as indirect evidence.
Summary
The new version 1.25.1-2 exhibits one critical anomaly: it is a phantom release — the Docker image exists and is properly built with attestations, but there is no corresponding git tag or GitHub release in the source repository. This breaks the expected release chain where each version bump is anchored to a git tag and GitHub release.
Possible explanations (not confirmed):
- The release workflow's tagging/release step failed or was skipped, but the build and push succeeded.
- The tag was created but subsequently deleted (unlikely given no evidence in commit history).
- The buildvars file was updated manually or by a bot, but the release automation was not triggered.
Why this is suspicious:
- All previous versions (1.24.2-2, 1.25.1-1, 1.25.1-0, etc.) have corresponding git tags and GitHub releases.
- The absence of a release artifact in source control is the single strongest indicator of a phantom release, which is a hallmark of supply chain compromise.
- However, the presence of SLSA provenance attestations and the legitimate upstream (Unbound 1.25.1 from NLnet Labs) suggest the build itself is not malicious.
Recommendation: This warrants human review before deployment. The downstream agent should escalate to a maintainer or security team to verify:
- Whether the release was intentional (e.g., a pre-release or test build).
- Whether the release workflow is functioning correctly.
- Whether the image has been tested and is safe for production use.
If the maintainer confirms this is a legitimate build, the verdict can be downgraded to trusted after the missing git tag is created retroactively.
This PR contains the following updates:
1.24.2-2→1.25.1-2Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Configuration
📅 Schedule: (in timezone America/Los_Angeles)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.