| 1.1.1.3 |
| 06-Sep-2025 |
christos | Import unbound-1.23.1 (previous was 1.19.1)
Unbound 1.23.1 July 16, 2025
This security release fixes the Rebirthday Attack CVE-2025-5994.
This re-opens up resolvers to a birthday paradox, for EDNS client subnet servers that respond with non-ECS answers. It only affects Unbound when compiled with --enable-subnet, and subnetmod is enabled with config options that send ECS information to upstream servers.
The CVE is described here https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
We would like to thank Xiang Li (AOSP Lab, Nankai University) for discovering and responsibly disclosing the vulnerability.
Bug Fixes:
Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP Lab Nankai University.
Unbound 1.23.0 Apr 24, 2025
This release features changed defaults, fast reload, redis replica, DNS Error Reporting, and bug fixes.
The fast reload is a feature that is listed as experimental. With unbound-control fast_reload the server can read the new config in a thread, and when done only briefly pauses the server to update the settings. This uses double memory, for like zones from disk or config that is loaded. It only pauses the server, for like less than a second, so DNS service is not interrupted by the reload of config. A lot of config items can be changed, but not all. It has options to print more information, or memory usage, and there is a list of config options in the man page.
The redis replica support allows for a redis backend to use a redis replica. The read commands are sent to the redis replica host, while the write commands are sent to the redis server. So with several replicas there can be more readers that all write to the redis server.
With DNS error reporting, RFC9567, enabled with dns-error-reporting: yes, this uses the error reporting agent to send failure reports to. The number of error reporting queries is output in the statistics as num.dns_error_reports.
Some defaults are changed in this release. The resolver.arpa. and service.arpa. zones are added to the default locally served zones, this can be disabled with a nodefault local zone. The default for max-global-quota has changed to 200, after operational feedback. The defaults from RFC8767 are used by serve-expired-client-timeout on 1800 milliseconds and serve-expired-ttl on 86400 seconds. If Unbound is compiled with edns subnet, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet needs to be enabled, module-config: "subnetcache validator iterator" should be explicitly set as configuration in the server: section.
If edns subnet is enabled, the default for module-config is no longer altered, so that compilation with subnet does not interfere when the server does not use subnet. When edns subnet is in use, also module-config: "subnetcache validator iterator" should be set as configuration in the server: section.
The RC2 has fixes for building on Solaris and portability to Windows, and fixes a memory leak for DoH.
Features
Increase the default of max-global-quota to 200 from 128 after operational feedback. Still keeping the possible amplification factor (CAMP related issues) in the hundreds. Fix #1175: serve-expired does not adhere to secure-by-default principle. The default value of serve-expired-client-timeout is set to 1800 as suggested by RFC8767. For #1175, the default value of serve-expired-ttl is set to 86400 (1 day) as suggested by RFC8767. For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT. Add resolver.arpa and service.arpa to the default locally served zones. Merge #1042: Fast Reload. The unbound-control fast_reload is added. It reads changed config in a thread, then only briefly pauses the service threads, that keep running. DNS service is only interrupted briefly, less than a second. Merge #1019: Redis read-only replica support. Introduces new 'redis-replica-*' options for the Redis cache backend. Merge #902: DNS Error Reporting (RFC 9567). Introduces new configuration option 'dns-error-reporting' and new statistics for 'num.dns_error_reports'. Bug Fixes
Fix #1154: Tag Incorrectly Applying for Other Interfaces Using the Same IP. This fix is not for 1.22.0. Fix #1163: Typos in unbound.conf documentation. Merge #1159: Stats for discard-timeout and wait-limit. Add test case for #1159. Some clean up for stat_values.test. Merge #1170 from Melroy van den Berg, Fix chroot manpage description. Merge #1157 from Liang Zhu, Fix heap corruption when calling ub_ctx_delete in Windows. Fix redis that during a reload it does not fail if the redis server does not connect or does not respond. It still logs the errors and if the server is up checks expiration features. Merge #1167: Makefile.in: fix occasional parallel build failures around bison rule. Fix SETEX check during Redis (re)initialization. Fix for the serve expired DNSSEC information fix, it would not allow current delegation information be updated in cache. The fix allows current delegation and validation recursion information to be updated, but as a consequence no longer has certain expired information around for later dnssec valid expired responses. Fix to log redis timeout error string on failure. More descriptive text for 'harden-algo-downgrade'. Complete fix for max-global-quota to 200. Fix #1183: the data being used is released in method nsec3_hash_test_entry. Fix for #1183: release nsec3 hashes per test file. Merge #1169 from Sergey Kacheev, fix: lock-free counters for auth_zone up/down queries. Fix comparison to help static analyzer. For #1175, update serve-expired tests. Merge #1189: Fix the dname_str method to cause conversion errors when the domain name length is 255. Merge #1197: dname_str() fixes. Merge #1198: Fix log-servfail with serve expired and no useful cache contents. Safeguard alias loop while looking in the cache for expired answers. Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege drop. Fix typo in log_servfail.tdir test. Merge #1204: ci: set persist-credentials: false for actions/checkout per zizmor suggestion. Merge #1174: Serve expired cache update fixes. Fixes a regression bug with serve-expired that appeared in 1.22.0 and would not allow the iterator to update the cache with not-yet-validated entries resulting in increased outgoing traffic. Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS handshake. Fix #1213: Misleading error message on default access control causing refuse. Merge #1221: Consider auth zones when checking for forwarders. Merge #1222: Unique DoT and DoH SSL contexts to allow for different ALPN. Create the quic SSL listening context only when needed. Fix compile of interface check code when dnscrypt or quic is disabled. Fix encoding of RR type ATMA. Fix to check length in ATMA string to wire. Merge #1229: check before use daemon->shm_info. Use the same interface listening port discovery code for all needed protocols. Port to string only when needed before getaddrinfo(). Do not open unencrypted channels next to encrypted ones on the same port. Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is set. Merge #1220 from Petr Men#�k, Add unbound members group access to control key. Make the default value of module-config "validator iterator" regardless of compilation options. --enable-subnet would implicitly change the value to enable the subnetcache module by default in the past. Fix #986: Resolving sas.com with dnssec-validation fails though signed delegations seem to be (mostly) correct. Consider reconfigurations when calculating the still_useful_timeout for servers in the infrastructure cache. Fix static analysis report about unhandled EOF on error conditions when reading anchor key files. Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt values. Fix hash calculation for cachedb to ignore case. Previously, cached records there were only relevant for same case queries (if not already in Unbound's internal cache). Merge #1243: Do not shadow tm on line 236. Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time. Add --help output description for the SOURCE_DATE_EPOCH variable. Fix 'unbound-control flush_negative' when reporting removed data; reported by David 'eqvinox' Lamparter. Fix representation of types GPOS and RESINFO, add rdf type for unquoted str. Fix #1251: WSAPoll first argument cannot be NULL. Fix for windows compile create ssl contexts. Fix print of RR type NSAP-PTR, it is an unquoted string. Fix #1253: Cache entries fail to be removed from Redis cachedb backend with unbound-control flush* +c. Fix for #1253: Fix for redis cachedb backend to expect an integer reply for the EXPIRE command. Fix #1254: send failed: Socket is not connected and remote address is 0.0.0.0 port 53. Fix #1255: Multiple pinnings to vulnerable copies of libexpat. For #1255, for ios use an older expat version that does not require C++11 language features. For #1255, for ios disable building tests that require C++11. For #1255, for ios try the latest expat version again. Fix unit test dname log printout typecast. Fix for ci test, expat is installed on the osx image. iana portlist update. Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir. Fix escape more characters when printing an RR type with an unquoted string. Enable the auth_tls.tdir and auth_tls_failcert.tdir tests. Fix unbound-control test so it counts the new flush_negative output, also answers the _ta probe from testns and prints command output and skip a thread specific test when no threads are available. Fix that ub_event has the facility to deal with callbacks for fast reload, doq, windows-stop and dnstap. Fix fast reload test to check if pid exists before acting on it. Merge #1262 from markyang92, fix build with 'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c. For #1262, ifdef is no longer needed. Fix #1263: Exempt loopback addresses from wait-limit. Fix wait-limit-netblock and wait-limit-cookie-netblock config parse to allow two arguments. Fix ub_event and include dnstap and win_svc headers. Fix test for stat_values for wait limit default...
Unbound 1.22.0 Oct 17, 2024
This release has an option to harden against unverified glue, it is enabled with harden-unverified-glue: yes. It was contributed by Karthik Umashankar from Microsoft. This protects Unbound against bad glue, that is out of zone, by performing a lookup for it. Because it uses the original information as a last resort if nothing works, it should not give lookup failures, and add protection.
There are options to configure the scrubbing for NS records and the CNAME scrubbing and the max global quota lookup limit from previous security fix releases. They can be configured with the options iter-scrub-ns, iter-scrub-cname and max-global-quota.
For redis use, with cachedb, it is possible to specify the timeout for the initial connection separately from the timeout for commands. With the options redis-command-timeout: 20 and redis-connect-timeout: 200 they can be set separately, for a longer connect attempt, but a short command timeout to keep resolution faster.
It is possible to log with ISO8601 format with log-time-iso: yes this also logs time in milliseconds. Useful if the server writes to file, syslog may have its own format.
DNS over QUIC is support is added, if compiled with libngtcp2 and with the openssl+quic that it uses. Use --with-libngtcp2 for that, and enable it with quic-port: 853. There is a post about it on https://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is to appear after the release].
Features
Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration options. Merge patch to fix for glue that is outside of zone, with harden-unverified-glue, from Karthik Umashankar (Microsoft). Enabling this option protects the Unbound resolver against bad glue, that is unverified out of zone glue, by resolving them. It uses the records as last resort if there is no other working glue. Add redis-command-timeout: 20 and redis-connect-timeout: 200, that can set the timeout separately for commands and the connection set up to the redis server. If they are not specified, the redis-timeout value is used. Fix #1144: [FR] log timestamps in ISO8601 format with timezone. This adds the option log-time-iso: yes that logs in ISO8601 format. Merge #871: DNS over QUIC. This adds quic-port: 853 and quic-size: 8m that enable dnsoverquic, and the counters num.query.quic and mem.quic in the statistics output. The feature needs to be enabled by compiling with libngtcp2, with --with-libngtcp2=path and libngtcp2 needs openssl+quic, pass that with --with-ssl=path to compile unbound as well. Bug Fixes
Fix #1126: unbound-control-setup hangs while testing for openssl presence starting from version 1.21.0. Add cross platform freebsd, openbsd and netbsd to github ci. Fix for char signedness warnings on NetBSD. Fix #1127: error: "memory exhausted" when defining more than 9994 local-zones. Fix documentation for cache_fill_missing function. Fix #1130: Loads of logs: "validation failure: key for validation . is marked as invalid because of a previous" for non-DNSSEC signed zone. Fix that when rpz is applied the message does not get picked up by the validator. That stops validation failures for the message. Fix that stub-zone and forward-zone clauses do not exhaust memory for long content. Unit test for auth zone transfer TLS, and TLS failure. Fix to print port number in logs for auth zone transfer activities. Merge #1132: b.root renumbering. Fix for #1132, adjusted unit test for change in the test file. Fix for #1132, comment about adjusted copy of reference check. Merge #1135: Add new IANA trust anchor. Fix config file read for dnstap-sample-rate. Fix alloc-size and calloc-transposed-args compiler warnings. Fix comment to not trigger doxygen unknown command. Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled (RFC9077). Add unit test for ttl limit for aggressive nsec. Fix and add comments in testdata/val_negcache_ttl.rpl. Merge #1140: Fix spelling mistake in comments. Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING, CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were already disabled. Fix dns64 with prefetch that the prefetch is stored in cache. Attempt to further fix doh_downstream_buffer_size.tdir flakiness. More clear text for prefetch and minimal-responses in the unbound.conf man page. Merge #1143: Fix cache update when serve expired is used. Expired records are favored over resolution and validation failures when serve-expired is used. Fix negative cache NSEC3 parameter compares for zero length NSEC3 salt. Fix unbound dnstap socket test program analyzer warnings about unused variable assignments and variable initialization. Fix #1149: unbound-control-setup hangs sometimes depending on the openssl version. Fix #1128: Cannot override tcp-upstream and tls-upstream with forward-tcp-upstream and forward-tls-upstream. Fix to limit NSEC TTL for messages from cachedb. Fix to limit the prefetch ttl for messages after a CNAME with short TTL. Fix for dnstap compile of doqclient with doq disabled. Fix cookie_file test sporadic fails for time change during the test. Fix add reallocarray to alloc stats unit test, and disable override of strdup in unbound-host, and the result of config get option is freed properly. Fix to disable detection of quic configured ports when quic is not compiled in. Fix harden-unverified-glue for AAAA cache_fill_missing lookups. Fix contrib/aaaa-filter-iterator.patch for change in call signature for cache_fill_missing. Fix to display warning if quic-port is set but dnsoverquic is not enabled when compiled. Fix dnsoverquic to extend the number of streams when one is closed. Fix for dnstap with dnscrypt and dnstap without dnsoverquic. Fix for dnsoverquic and dnstap to use the correct dnstap environment.
Unbound 1.21.1 Oct 4, 2024
This security release fixes CVE-2024-8508.
A vulnerability has been discovered in Unbound when handling replies with very large RRsets that Unbound needs to perform name compression for.
Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks.
The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete.
Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long.
This change should not affect normal DNS traffic.
We would like to thank Toshifumi Sakaguchi for discovering and responsibly disclosing the vulnerability.
Bug Fixes:
Fix CVE-2024-8508, unbounded name compression could lead to denial of service.
Unbound 1.21.0 Aug 15, 2024
This release has a fix for the CAMP and CacheFlush issues. They have a low severity for Unbound, since it does not affect Unbound so much.
The Compositional Amplification (CAMP) type of attacks can lead to DoS attacks against DNS servers. In Unbound legitimate client requests to the resolvers under typical workload are not directly affected by CAMP attacks. However we introduce a global quota for 128 outgoing packets per query (and it's subqueries) that is never reset to prevent the combination of CAMP with other amplification attacks in the future. We would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich for discovering and notifying us about the issue.
The CacheFlush type of attacks (NSCacheFlush, CNAMECacheFlush) try to evict cached data by utilizing rogue zones and a steady rogue stream to a resolver. Based on the zone, the stream, the configured cache size and the legitimate traffic, Unbound could experience a degradation of service if a useful entry is evicted and Unbound needs to resolve again. As a mitigation to the NSCacheFlush attack Unbound is setting a limit of 20 RRs in an NS RRset. We would like to thank Yehuda Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and Reichman University) for discovering and notifying us about the issue.
Other fixes in this release are bug fixes. Also the unbound control commands that flush the cache can clear both the memory and cachedb module cache. The ipset module can use BSD pf tables. The new option dnstap-sample-rate: 100 can be used to log 1/N messages, for use in high volume server environments where the log server does not keep up.
The new DNSSEC key for the root, 38696 from 2024 has been added. It is added to the default root keys in unbound-anchor. The content can be inspected with unbound-anchor -l. Older versions of Unbound can keep up with the root key with auto-trust-anchor-file that has RFC5011 key rollover. Also unbound-anchor can fetch the keys from the website with a certificate if needed.
For cookie secrets, it is possible to perform rollover. The file with cookie secret in use and the staging secret is configured with cookie-secret-file. With the remote control the rollover can be performed, add_cookie_secret, activate_cookie_secret, drop_cookie_secret and print_cookie_secrets can be used for that.
Compared to the RC1, the release has a fix for module loading on Windows, and a spelling correction.
Features
Fix #1071: [FR] Clear both in-memory and cachedb module cache with unbound-control flush* commands. Fix #144: Port ipset to BSD pf tables. Add dnstap-sample-rate that logs only 1/N messages, for high volume server environments. Thanks Dan Luther. Add root key 38696 from 2024 for DNSSEC validation. It is added to the default root keys in unbound-anchor. The content can be inspected with unbound-anchor -l. Merge #1090: Cookie secret file. Adds cookie-secret-file: "unbound_cookiesecrets.txt" option to store cookie secrets for EDNS COOKIE secret rollover. The remote control add_cookie_secret, activate_cookie_secret and drop_cookie_secret commands can be used for rollover, the command print_cookie_secrets shows the values in use. Bug Fixes
Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich. Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and Reichman University). Merge #1062: Fix potential overflow bug while parsing port in function cfg_mark_ports. Fix for #1062: declaration before statement, avoid print of null, and redundant check for array size. Fix to squelch udp connect errors in the log at low verbosity about invalid argument for IPv6 link local addresses. Fix when the mesh jostle is exceeded that nameserver targets are marked as resolved, so that the lookup is not stuck on the requestlist. Add missing common functions to tdir tests. Merge #1070: Fix rtt assignement for low values of infra-cache-max-rtt. Merge #1069: Fix unbound-control stdin commands for multi-process Unbounds. Fix unbound-control commands that read stdin in multi-process operation (local_zones_remove, local_zones, local_datas_remove, local_datas, view_local_datas_remove, view_local_datas). They will be properly distributed to all processes. dump_cache and load_cache are no longer supported in multi-process operation. Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir now checks both single and multi process/thread operation. Merge #1073: fix null pointer dereference issue in function ub_ctx_set_fwd. Fix to print a parse error when config is read with no name for a forward-zone, stub-zone or view. Fix for parse end of forward-zone, stub-zone and view. Fix for #1064: Fix that cachedb expired messages are considered insecure, and thus can be served to clients when dnssec is enabled. Fix #1059: Intermittent DNS blocking failure with local-zone and always_nxdomain. Addition of local_zones dynamically via unbound-control was not finding the zone's parent correctly. Fix #1064: Unbound 1.20 Cachedb broken? Fix unused variable warning on compilation with no thread support. unbound-control-setup: check openssl availability before doing anything, patch from Michael Tokarev. Update patch to remove 'command' shell builtin and update error text. Fix to enable that SERVFAIL is cached, for a short period, for more cases. In the cases where limits are exceeded. Fix spelling of tcp-idle-timeout docs, from Michael Tokarev. Merge #1078: Only check old pid if no username. Fix #1079: tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0. Fix for #1079: fix RPZ taglist in iterator callback that no client info is like no taglist intersection. Fix to squelch connection reset by peer errors from log. And fix that the tcp read errors are labeled as initial for the first calls. Merge #1080: AddressSanitizer detection in tdir tests and memory leak fixes. Fix memory leak when reload_keep_cache is used and num-threads changes. Fix memory leak on exit for unbound-dnstap-socket; creates false negatives during testing. Fix memory leak in setup of dsa sig. Fix typos for 'the the' in text. Fix validation for repeated use of a DNAME record. Add unit test for validation of repeated use of a DNAME record. Fix #1091: Build fails with OpenSSL >= 3.0 built with OPENSSL_NO_DEPRECATED. Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by adding helpful text for the Python interpreter version and allowing the default pkg-config unavailability error message to be shown. Fix pkg-config availability check in dnstap/dnstap.m4 and systemd.m4. Explicitly set the RD bit for the mesh query flags when prefetching. These queries have no waiting client but they need to be treated as recursive. Fix ip-ratelimit-cookie setting, it was not applied. Fix to remove unused include from the readzone test program. Fix unused variable warning in do_cache_remove. Fix compile warning in worker pthread id printout. Add unit test skip files and bison and flex output to gitignore. Fix to use modstack_init in zonemd unit test. Fix to remove unneeded linebreak in fptr_wlist.c. Fix compile warnings in fptr_wlist.c. Fix for repeated use of a DNAME record: first overallocate and then move the exact size of the init value to avoid false positive heap overflow reads from address sanitizers. Fix to print details about the failure to lookup a DNSKEY record when validation fails due to the missing DNSKEY. Also for key prime and DS lookups. Fix for neater printout for error for missing DS response. Fix neater printout. Fix #1099: Unbound core dump on SIGSEGV. Fix for #1099: Fix to check for deleted RRset when the contents is updated and fetched after it is stored, and also check for a changed RRset. Don't check for message TTL changes if the RRsets remain the same. Fix that validation reason failure that uses string print uses separate buffer that is passed, from the scratch validation buffer. Fixup algo_needs_reason string buffer length. Fix shadowed error string variable in validator dnskey handling. Update list of known EDE codes. For #773: In contrib/unbound.service.in set unbound to start after network-online.target. Also for contrib/unbound_portable.service.in. Fix #1103: unbound 1.20.0 segmentation fault with nghttp2. For #1103: fix to also drop mesh state reference when a h2 reply is dropped. Add RPZ tag tests in acl_interface.tdir. For #1102: clearer text for using interface-* options for the loopback interface. For #1103: fix to also drop mesh state reference when the discard limit is reached, when there is an error making a new recursion state and when the connection is dropped with is_drop. For #1103: Fix to drop mesh state reference for the http2 stream associated with the reply, not the currently active stream. And it does not remove it twice on a mesh_send_reply call. The reply h2_stream is NULL when not in use, for more initialisation. Fix dnstap wakeup, a running wakeup timer is left to expire and not increased, a timer is started when the dtio thread is sleeping, the timer set disabled when the dtio thread goes to sleep, and after sleep the thread checks to see if there are messages to log immediately. Merge #1110: Make fallthrough explicit for libworker.c. For #1110: Test for fallthrough attribute in configure and add fallthrough attribute an...
Unbound 1.20.0 May 8, 2024
This release has a fix for the DNSBomb issue CVE-2024-33655. This has a low severity for Unbound, since it makes Unbound complicit in targeting others, but does not affect Unbound so much.
To mitigate the issue new configuration options are introduced. The options discard-timeout: 1900, wait-limit: 1000 and wait-limit-cookie: 10000 are enabled by default. They limit the number of outstanding queries that a querier can have. This limits the reply pulse, and make Unbound less favorable for the issue. With the config wait-limit-netblock and wait-limit-cookie-netblock the parameters can be fine tuned for specific destinations. More information on the attack and Unbound's mitigations are presented further down.
Other fixes in this release are that Unbound no longer follows symlinks when truncating the pidfile. Unbound also does not chown the pidfile, this is for safety reasons. There are also a number of fixes for RPZ, in handling CNAMEs. There is a memory leak fix for the edns client subnet cache. For DNSSEC validation a case is fixed when the query is of type DNAME. The unbound-anchor program is fixed to first write to a temporary file, before replacing the original. This handles disk full situations, and because of it unbound-anchor needs permission to create that file, in the same directory as the original file. There is also a fix for IP_DONTFRAG, to disable fragmentation instead of the opposite.
The option cache-min-negative-ttl can be used to set the minimum TTL for negative responses in the cache. It complements existing options to set the maximum ttl for negative responses and to set the minimum and maximum ttl but not specifically for negative responses.
The option cachedb-check-when-serve-expired option makes Unbound use cachedb to check for expired responses, when serve-expired is enabled, and cachedb is used. It is enabled by default.
The -q option for unbound-checkconf can be added to silence it when there are no errors.
The DNSBomb vulnerability CVE-2024-33655.
== Summary The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.
Unbound itself is not vulnerable for DoS, rather it can be used to take part in a pulsing DoS amplification attack.
Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers.
== Affected products Unbound up to and including 1.19.3.
== Description The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses.
From version 1.20.0 on, Unbound introduces a couple of configuration options to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience:
discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts.
wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits.
wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies.
The options above are trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers.
== Acknowledgements We would like to thank Xiang Li from the Network and Information Security Lab of Tsinghua University for discovering and disclosing the attack.
Features
The config for discard-timeout, wait-limit, wait-limit-cookie, wait-limit-netblock and wait-limit-cookie-netblock was added, for the fix to the DNSBomb issue. Merge #1027: Introduce 'cache-min-negative-ttl' option. Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates config.guess(2024-01-01) and config.sub(2024-01-01), verified with upstream. Implement cachedb-check-when-serve-expired: yes option, default is enabled. When serve expired is enabled with cachedb, it first checks cachedb before serving the expired response. Fix #876: [FR] can unbound-checkconf be silenced when configuration is valid? Bug Fixes
Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li from the Network and Information Security Lab of Tsinghua University for reporting it. Update doc/unbound.doxygen with 'doxygen -u'. Fixes option deprecation warnings and updates with newer defaults. Remove unused portion from iter_dname_ttl unit test. Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. Fix qname minimisation for reply with a DNAME for qtype CNAME that answers it. Fix doc test so it ignores but outputs unsupported doxygen options. Fix #1021 Inconsistent Behavior with Changing rpz-cname-override and doing a unbound-control reload. Merge #1028: Clearer documentation for tcp-idle-timeout and edns-tcp-keepalive-timeout. Fix #1029: rpz trigger clientip and action rpz-passthru not working as expected. Fix rpz that the rpz override is taken in case of clientip triggers. Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger. Fix to unify codepath for local alias for rpz cname action override. Fix rpz for cname override action after nsdname and nsip triggers. Fix that addrinfo is not kept around but copied and freed, so that log-destaddr uses a copy of the information, much like NSD does. Merge #1030: Persist the openssl and expat directories for repeated Windows builds. Fix that rpz CNAME content is limited to the max number of cnames. Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets the reply query_info values, that is better for debug logging. Fix rpz that copies the cname override completely to the temp region, so there are no references to the rpz region. Add rpz unit test for nsip action override. Fix rpz for qtype CNAME after nameserver trigger. Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that clientip and nsip can give a CNAME. Fix localdata and rpz localdata to match CNAME only if no direct type match is available. Merge #831 from Pierre4012: Improve Windows NSIS installer script (setup.nsi). For #831: Format text, use exclamation icon and explicit label names. Fix name of unit test for subnet cache response. Fix #1032: The size of subnet_msg_cache calculation mistake cause memory usage increased beyond expectations. Fix for #1032, add safeguard to make table space positive. Fix comment in lruhash space function. Fix to add unit test for lruhash space that exercises the routines. Fix that when the server truncates the pidfile, it does not follow symbolic links. Fix that the server does not chown the pidfile. Fix #1034: DoT forward-zone via unbound-control. Fix for crypto related failures to have a better error string. Fix #1035: Potential Bug while parsing port from the "stub-host" string; also affected forward-zones and remote-control host directives. Fix #369: dnstap showing extra responses; for client responses right from the cache when replying with expired data or prefetching. Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c. For #1040: adjust error text and disallow negative ports in other parts of cfg_mark_ports. Fix comment syntax for view function views_find_view. Fix #595: unbound-anchor cannot deal with full disk; it will now first write out to a temp file before replacing the original one, like Unbound already does for auto-trust-anchor-file. Fixup compile without cachedb. Add test for cachedb serve expired. Extended test for cachedb serve expired. Fix makefile dependencies for fake_event.c. Fix cachedb for serve-expired with serve-expired-reply-ttl. Fix to not reply serve expired unless enabled for cachedb. Fix cachedb for serve-expired with serve-expired-client-timeout. Fixup unit test for cachedb server expired client timeout with a check if response if from upstream or from cachedb. Fixup cachedb to not refetch when serve-expired-client-timeout is used. Merge #1049 from Petr Men#�k: Py_NoSiteFlag is not needed since Python 3.8 Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4. Fix configure, autoconf for #1048. Add checklock feature verbose_locking to trace locks and unlocks. Fix edns subnet to sort rrset references when storing messages in the cache. This fixes a race condition in the rrset locks. Merge #1053: Remove child delegations from cache when grandchild delegation...
Unbound 1.19.3 Mar 14, 2024
This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0.
There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired.
For dnstap, it logs type DoH and DoT correctly, if that is used for the message.
The b.root-servers.net address is updated in the default root hints.
When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size.
Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries.
Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers.
Features:
Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. Bug Fixes:
Fix unit test parse of origin syntax. Use 127.0.0.1 explicitly in tests to avoid delays and errors on newer systems. Fix #964: config.h.in~ backup file in release tar balls. Merge #968: Replace the obsolescent fgrep with grep -F in tests. Merge #971: fix 'WARNING: Message has 41 extra bytes at end'. Fix #969: [FR] distinguish Do53, DoT and DoH in the logs. Fix dnstap that assertion failed on logging other than UDP and TCP traffic. It lists it as TCP traffic. Fix to sync the tests script file common.sh. iana portlist update. Updated IPv4 and IPv6 address for b.root-servers.net in root hints. Update test script file common.sh. Fix tests to use new common.sh functions, wait_logfile and kill_from_pidfile. Fix #974: doc: default number of outgoing ports without libevent. Merge #975: Fixed some syntax errors in rpl files. Fix root_zonemd unit test, it checks that the root ZONEMD verifies, now that the root has a valid ZONEMD. Update example.conf with cookie options. Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors for non-HTTP/2 DoH clients. Merge #985: Add DoH and DoT to dnstap message. Fix #983: Sha1 runtime insecure change was incomplete. Remove unneeded newlines and improve indentation in remote control code. Merge #987: skip edns frag retry if advertised udp payload size is not smaller. Fix unit test for #987 change in udp1xxx retry packet send. Merge #988: Fix #981: dump_cache truncates large records. Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows. Fix to link with libssp for libcrypto and getaddrinfo check for only header. Also update crosscompile to remove ssp for 32bit. Merge #993: Update b.root-servers.net also in example config file. Update workflow for ports to use newer openssl on windows compile. Fix warning for windres on resource files due to redefinition. Fix for #997: Print details for SSL certificate failure. Update error printout for duplicate trust anchors to include the trust anchor name (relates to #920). Update message TTL when using cached RRSETs. It could result in non-expired messages with expired RRSETs (non-usable messages by Unbound). Merge #999: Search for protobuf-c with pkg-config. Fix #1006: Can't find protobuf-c package since #999. Fix documentation for access-control in the unbound.conf man page. Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. Document the suspend argument for process_ds_response(). Move github workflows to use checkoutv4. Fix edns subnet replies for scope zero answers to not get stored in the global cache, and in cachedb, when the upstream replies without an EDNS record. Fix for #1022: Fix ede prohibited in access control refused answers. Fix unbound-control-setup.cmd to use 3072 bits so that certificates are long enough for newer OpenSSL versions. Fix TTL of synthesized CNAME when a DNAME is used from cache. Fix unbound-control-setup.cmd to have CA v3 basicConstraints, like unbound-control-setup.sh has.
Unbound 1.19.2 Mar 7, 2024
This security release fixes CVE-2024-1931.
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop.
Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records.
The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.
From version 1.19.2 on, the code is fixed to avoid looping indefinitely.
We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for notifying us about the issue and working with us to identify the vulnerability.
Bug Fixes:
Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies.
|
| 1.1.1.2 |
| 06-Feb-2018 |
christos | branches: 1.1.1.2.18; Unbound 1.6.8 Download: unbound-1.6.8.tar.gz SHA1 checksum: 492737be9647c26ee39d4d198f2755062803b412 SHA256 checksum: e3b428e33f56a45417107448418865fe08d58e0e7fea199b855515f60884dd49 PGP signature: unbound-1.6.8.tar.gz.asc Date: 19 Jan, 2018 Bug Fixes Fix for CVE-2017-15105: vulnerability in the processing of wildcard synthesized NSEC records. Older versions Unbound 1.6.7 Download: unbound-1.6.7.tar.gz SHA1 checksum: 098f8acfc3e9d1cab54f07863e61eabbb67c80dc SHA256 checksum: 4e7bd43d827004c6d51bef73adf941798e4588bdb40de5e79d89034d69751c9f PGP signature: unbound-1.6.7.tar.gz.asc Date: 10 Oct, 2017 Features Set trust-anchor-signaling default to yes #1440: [dnscrypt] client nonce cache. #1435: Allow UDP to be disabled separately upstream and downstream. Bug Fixes Fix that looping modules always stop the query, and don't pass control. Fix unbound-host to report error for DNSSEC state of failed lookups. Spelling fixes, from Josh Soref. Fix #1400: allowing use of global cache on ECS-forwarding unless always-forward. use a cachedb answer even if it's "expired" when serve-expired is yes (patch from Jinmei Tatuya). trigger refetching of the answer in that case (this will bypass cachedb lookup) allow storing a 0-TTL answer from cachedb in the in-memory message cache when serve-expired is yes Fix DNSCACHE_STORE_ZEROTTL to be bigger than 0xffff. Log name of looping module Fix #1450: Generate again patch contrib/aaaa-filter-iterator.patch (by Danilo G. Baio). Fix param unused warning for windows exportsymbol compile. Use RCODE from A query on DNS64 synthesized answer. Fix trust-anchor-signaling works in libunbound. Fix spelling in unbound-control man page. Unbound 1.6.6 Download: unbound-1.6.6.tar.gz SHA1 checksum: d205c03a402f5d900d5bad3d036849a12804a49e SHA256 checksum: 972b14dc33093e672652a7b2b5f159bab2198b0fe9c9e1c5707e1895d4d4b390 PGP signature: unbound-1.6.6.tar.gz.asc Date: 18 Sep, 2017 Features unbound-control dump_infra prints port number for address if not 53. Fix #1344: RFC6761-reserved domains: test. and invalid. Fix #1349: allow suppression of pidfiles (from Daniel Kahn Gillmor). With the -p option unbound does not create a pidfile. Added stats for queries that have been ratelimited by domain recursion. Patch to show DNSCrypt status in help output, from Carsten Strotmann. Fix #1407: Add ECS options check to unbound-checkconf. Fix #1415: [dnscrypt] shared secret cache, patch from Manu Bretelle. Bug Fixes fixup of dnscrypt_cert_chacha test (from Manu Bretelle). First fix for zero b64 and hex text zone format in sldns. Better fixup of dnscrypt_cert_chacha test for different escapes. Fix that infra cache host hash does not change after reconfig. Fix python example0 return module wait instead of error for pass. enhancement for hardened-tls for DNS over TLS. Removed duplicated security settings. Fix for unbound-checkconf, check ipsecmod-hook if ipsecmod is turned on. Fix #1331: libunbound segfault in threaded mode when context is deleted. Fix pythonmod link line option flag. Fix openssl 1.1.0 load of ssl error strings from ssl init. Fix 1332: Bump verbosity of failed chown'ing of the control socket. Redirect all localhost names to localhost address for RFC6761. Fix #1350: make cachedb backend configurable (from JINMEI Tatuya). Fix tests to use .tdir (from Manu Bretelle) instead of .tpkg. upgrade aclocal(pkg.m4 0.29.1), config.guess(2016-10-02), config.sub(2016-09-05). annotate case statement fallthrough for gcc 7.1.1. flex output from flex 2.6.1. snprintf of thread number does not warn about truncated string. squelch TCP fast open error on FreeBSD when kernel has it disabled, unless verbosity is high. remove warning from windows compile. Fix compile with libnettle Fix DSA configure switch (--disable dsa) for libnettle and libnss. Fix #1365: Add Ed25519 support using libnettle. Fix #1394: mix of serve-expired and response-ip could cause a crash. Remove unused iter_env member (ip6arpa_dname) Do not reset rrset.bogus stats when called using stats_noreset. Do not add rrset_bogus and query ratelimiting stats per thread, these module stats are global. Fix #1397: Recursive DS lookups for AS112 zones names should recurse. Fix #1398: make cachedb secret configurable. Remove spaces from Makefile. Fix issue on macOX 10.10 where TCP fast open is detected but not implemented causing TCP to fail. The fix allows fallback to regular TCP in this case and is also more robust for cases where connectx() fails for some reason. Fix #1402: squelch invalid argument error for fd_set_block on windows. Fix to reclaim tcp handler when it is closed due to dnscrypt buffer allocation failure. Fix #1415: patch to free dnscrypt environment on reload. iana portlist update Small fixes for the shared secret cache patch. Fix WKS records on kvm autobuild host, with default protobyname entries for udp and tcp. Fix #1414: fix segfault on parse failure and log_replies. zero qinfo in handle_request, this zeroes local_alias and also the qname member. new keys and certs for dnscrypt tests. fixup WKS test on buildhost without servicebyname. updated contrib/fastrpz.patch to apply with configparser changes. Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs. Fix #1424: cachedb:testframe is not thread safe. Fix #1417: [dnscrypt] shared secret cache counters, and works when dnscrypt is not enabled. And cache size configuration option. Fix #1418: [ip ratelimit] initialize slabhash using ip-ratelimit-slabs. Recommend 1472 buffer size in unbound.conf Fix #1412: QNAME minimisation strict mode not honored Fix #1434: Fix windows openssl 1.1.0 linking. Add dns64 for client-subnet in unbound-checkconf. Unbound 1.6.5 Download: unbound-1.6.5.tar.gz SHA1 checksum: ecb260b94d139d84fae2bff80f9701f53a329e26 SHA256 checksum: e297aa1229015f25bf24e4923cb1dadf1f29b84f82a353205006421f82cc104e PGP signature: unbound-1.6.5.tar.gz.asc Date: 21 Aug, 2017 Bug Fixes Fix install of trust anchor when two anchors are present, makes both valid. Checks hash of DS but not signature of new key. This fixes the root.key file if created when unbound is installed between sep11 and oct11 2017. Unbound 1.6.4 Download: unbound-1.6.4.tar.gz SHA1 checksum: 836ecc48518b9159f600a738c276423ef1f95021 SHA256 checksum: df0a88816ec31ccb8284c9eb132e1166fbf6d9cde71fbc4b8cd08a91ee777fed PGP signature: unbound-1.6.4.tar.gz.asc Date: 27 Jun, 2017 Features Implemented trust anchor signaling using key tag query. unbound-checkconf -o allows query of dnstap config variables. Also unbound-control get_option. Also for dnscrypt. unbound.h exports the shm stats structures. They use type long long and no ifdefs, and ub_ before the typenames. Implemented opportunistic IPsec support module (ipsecmod). Added redirect-bogus.patch to contrib directory. Support for the ED25519 algorithm with openssl (from openssl 1.1.1). renumbering B-Root's IPv6 address to 2001:500:200::b. Fix #1276: [dnscrypt] add XChaCha20-Poly1305 cipher. Fix #1277: disable domain ratelimit by setting value to 0. Added fastrpz patch to contrib Bug Fixes Added ECS unit test (from Manu Bretelle). ECS documentation fix (from Manu Bretelle). Fix #1252: more indentation inconsistencies. Fix #1253: unused variable in edns-subnet/addrtree.c:getbit(). Fix #1254: clarify ratelimit-{for,below}-domain (from Manu Bretelle). iana portlist update Based on #1257: check parse limit before t increment in sldns RR string parse routine. Fix #1258: Windows 10 X64 unbound 1.6.2 service will not start. and fix that 64bit getting installed in C:\Program Files (x86). Fix #1259: "--disable-ecdsa" argument overwritten by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c". iana portlist update Added test for leak of stub information. Fix sldns wire2str printout of RR type CAA tags. Fix sldns int16_data parse. Fix sldns parse and printout of TSIG RRs. sldns SMIMEA and AVC definitions, same as getdns definitions. Fix tcp-mss failure printout text. Set SO_REUSEADDR on outgoing tcp connections to fix the bind before connect limited tcp connections. With the option tcp connections can share the same source port (for different destinations). Add 'c' to getopt() in testbound. Adjust servfail by iterator to not store in cache when serve-expired is enabled, to avoid overwriting useful information there. Fix queries for nameservers under a stub leaking to the internet. document trust-anchor-signaling in example config file. updated configure, dependencies and flex output. better module memory lookup, fix of unbound-control shm names for module memory printout of statistics. Fix type AVC sldns rrdef. Some whitespace fixup. Fix #1265: contrib/unbound.service contains hardcoded path. Fix #1265 to use /bin/kill. Fix #1267: Libunbound validator/val_secalgo.c uses obsolete APIs, and compatibility with BoringSSL. Fix #1268: SIGSEGV after log_reopen. exec_prefix is by default equal to prefix. printout localzone for duplicate local-zone warnings. Fix assertion for low buffer size and big edns payload when worker overrides udpsize. Support for openssl EVP_DigestVerify. Fix #1269: inconsistent use of built-in local zones with views. Add defaults for new local-zone trees added to views using unbound-control. Fix #1273: cachedb.c doesn't compile with -Wextra. If MSG_FASTOPEN gives EPIPE fallthrough to try normal tcp write. Also use global local-zones when there is a matching view that does not have any local-zone specified. Fix fastopen EPIPE fallthrough to perform connect. Fix #1274: automatically trim chroot path from dnscrypt key/cert paths (from Manu Bretelle). Fix #1275: cached data in cachedb is never used. Fix that unbound-control can set val_clean_additional and val_permissive_mode. Add dnscrypt XChaCha20 tests. Detect chacha for dnscrypt at configure time. dnscrypt unit tests with chacha. Added domain name based ECS whitelist. Fix #1278: Incomplete wildcard proof. Fix #1279: Memory leak on reload when python module is enabled. Fix #1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly. More fixes in depth for buffer checks in 0x20 qname checks. Fix stub zone queries leaking to the internet for harden-referral-path ns checks. Fix query for refetch_glue of stub leaking to internet. Fix #1301: memory leak in respip and tests. Free callback in edns-subnetmod on exit and restart. Fix memory leak in sldns_buffer_new_frm_data. Fix memory leak in dnscrypt config read. Fix dnscrypt chacha cert support ifdefs. Fix dnscrypt chacha cert unit test escapes in grep. Fix to unlock view in view test. Fix warning in pythonmod under clang compiler. Fix lintian typo. Fix #1316: heap read buffer overflow in parse_edns_options. Unbound 1.6.3 Download: unbound-1.6.3.tar.gz SHA1 checksum: 4477627c31e8728058565f3bae3a12a1544d8a9c SHA256 checksum: 4c7e655c1d0d2d133fdeb81bc1ab3aa5c155700f66c9f5fb53fa6a5c3ea9845f PGP signature: unbound-1.6.3.tar.gz.asc Date: 13 Jun, 2017 Bug Fixes Fix #1280: Unbound fails assert when response from authoritative contains malformed qname. When 0x20 caps-for-id is enabled, when assertions are not enabled the malformed qname is handled correctly. Unbound 1.6.2 Download: unbound-1.6.2.tar.gz SHA1 checksum: de370b1ac8e260db9c4c1504453752713dd8818f SHA256 checksum: 1a323d72c32180b7141c9e6ebf199fc68a0208dfebad4640cd2c4c27235e3b9c PGP signature: unbound-1.6.2.tar.gz.asc Date: 24 Apr, 2017 Features Add trustanchor.unbound CH TXT that gets a response with a number of TXT RRs with a string like "example.com. 2345 1234" with the trust anchors and their keytags. Patch for view functionality for local-data-ptr from Björn Ketelaars. Response actions based on IP address from Jinmei Tatuya (Infoblox). Patch from Luiz Fernando Softov for Stats Shared Memory. unbound-control stats_shm command prints stats using shared memory, which uses less cpu. --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and DS records. NSEC3 is not disabled. #1217. DNSCrypt support, with --enable-dnscrypt, libsodium and then enabled in the config file from Manu Bretelle. Merge EDNS Client subnet implementation from feature branch into main branch, using new EDNS processing framework. harden-algo-downgrade: no also makes unbound more lenient about digest algorithms in DS records. Bug Fixes sldns has ED25519 and ED448 algorithm number and name for display. sldns updated for vfixed and buffer resize indication from getdns. iana portlist update Fix #1224: Fix that defaults should not fall back to "Program Files (x86) if Unbound is 64bit by default on windows. Fix doc/CNAME-basedRedirectionDesignNotes.pdf zone static to redirect. make depend, autoconf, doxygen and lint fixed up. include sys/time.h for new shm code on NetBSD. Fix #1227: Fix that Unbound control allows weak ciphersuits. Fix #1226: provide official 32bit binary for windows. For #1227: if we have sha256, set the cipher list to have no known vulns. Fix testpkts.c, check if DO bit is set, not only if there is an OPT record. Fix #1229: Systemd service sandboxing in contrib/unbound.service. Fix #1230: swig version 2.0.1 is required for pythonmod, with 1.3.40 it crashes when running repeatly unbound-control reload. fix enum conversion warnings fake-sha1 test option; print warning if used. To make unit tests. unbound-control list local zone and data commands listed in the help output. Fix #1234: shortening DNAME loop produces duplicate DNAME records in ANSWER section. testbound understands Deckard MATCH rcode question answer commands. Fix #1235: Fix too long DNAME expansion produces SERVFAIL instead of YXDOMAIN + query loop, reported by Petr Spacek. Fix that SHM is not inited if not enabled. Fix that looped DNAMEs do not cause unbound to spend effort. trustanchor tags are sorted. reusable routine to fetch taglist. Fix #1237 - Wrong resolving in chain, for norec queries that get SERVFAIL returned. make depend, autoconf, remove warnings about statement before var. lru_demote and lruhash_insert_or_retrieve functions for getdns. fixup for lruhash (whitespace and header file comment). dnscrypt tests. Fix doxygen for dnscrypt files. Fix #1238: segmentation fault when adding through the remote interface a per-view local zone to a view with no previous (configured) local zones. Fix #1229: Systemd service sandboxing, options in wrong sections. Fix #1239: configure fails to find python distutils if python prints warning. Fix to prevent non-referal query from being cached as referal when the no_cache_store flag was set. Remove (now unused) event2 include from dnscrypt code. Fix #1217: Add metrics to unbound-control interface showing crypted, cert request, plaintext and malformed queries (from Manu Bretelle). Do not add current time twice to TTL before ECS cache store. Do not touch rrset cache after ECS cache message generation. Use LDNS_EDNS_CLIENT_SUBNET as default ECS opcode. Fix #1244: document that use of chroot requires trust anchor file to be under chroot. Small fixup for documentation. Fix respip for braces when locks arent used. Fix pythonmod for cb changes. Generalise inplace callback (de)registration (de)register inplace callbacks for module id No unbound-control set_option for ECS options Deprecated client-subnet-opcode config option Introduced client-subnet-always-forward config option Changed max-client-subnet-ipv6 default to 56 (as in RFC) Removed extern ECS config options module_restart_next now calls clear on all following modules Also create ECS module qstate on module_event_pass event remove malloc from inplace_cb_register Unlock view in respip unit test Some whitespace fixup. Remove ECS option after REFUSED answer. Fix small memory leak in edns_opt_copy_alloc. Respip dereference after NULL check. Zero initialize addrtree allocation. Use correct identifier for SHM destroy. Display ECS module memory usage. Fix #1247: unbound does not shorten source prefix length when forwarding ECS. Properly check for allocation failure in local_data_find_tag_datas. Fix #1249: unbound doesn't return FORMERR to bogus ECS. Set SHM ECS memory usage to 0 when module not loaded. subnet mem value is available in shm, also when not enabled, to make the struct easier to memmap by other applications, independent of the configuration of unbound. Fix #1250: inconsistent indentation in services/listen_dnsport.c. Unbound 1.6.1 Download: unbound-1.6.1.tar.gz SHA1 checksum: 41369fcfd37844b02b7293b37ec78e69f0db34c7 SHA256 checksum: 42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400 PGP signature: unbound-1.6.1.tar.gz.asc Date: 21 Feb, 2017 Features configure --enable-systemd and lets unbound use systemd sockets if you enable use-systemd: yes in unbound.conf. Also there are contrib/unbound.socket and contrib/unbound.service: systemd files for unbound, install them in /usr/lib/systemd/system. Contributed by Sami Kerola and Pavel Odintsov. [bugzilla: 1187 ] Source IP rate limiting, patch from Larissa Feng. [bugzilla: 1184 ] Log DNS replies. This includes the same logging information that DNS queries and response code and response size, patch from Larissa Feng. Include root trust anchor id 20326 in unbound-anchor. 64bit is default for windows builds. Bug Fixes [bugzilla: 1176 ] Fix stack size too small for Alpine Linux. Fix unbound-control and ipv6 only. [bugzilla: 1182 ] Fix Resource leak (socket), at startup. [bugzilla: 1178 ] Fix attempt to fix setup error at end, pop result values at end of install. iana portlist update Fix inet_ntop and inet_pton warnings in windows compile. [bugzilla: 1191 ] Fix remove comment about view deletion. [bugzilla: 1188 ] Fix unresolved symbol 'fake_dsa' in libunbound.so when built with Nettle [bugzilla: 1190 ] Fix to not echo back EDNS options in local-zone error response. [bugzilla: 1194 ] Fix if cross build fails when $host isn't `uname` for getentropy. Fix reload chdir failure when also chrooted to that directory. Fix to return formerr for queries for meta-types, to avoid packet amplification if this meta-type is sent on to upstream. [bugzilla: 1201 ] Fix missing unlock in answer_from_cache error condition. [bugzilla: 1202 ] Fix code comment that packed_rrset_data is not always 'packed'. Fix to also block meta types 128 through to 248 with formerr. [bugzilla: 1206 ] Fix that some view-related commands are missing from 'unbound-control -h' Fix to rename ub_callback_t to ub_callback_type, because POSIX reserves _t typedefs. Fix to rename internally used types from _t to _type, because _t type names are reserved by POSIX. Increase MAX_MODULE to 16. [bugzilla: 1211 ] Fix can't enable interface-automatic if no IPv6 with more helpful error message. fix root_anchor test for updated icannbundle.pem lower certificates. Fix compile on solaris of the fix to use $host detect. Fix for type name change and fix warning on windows compile. Fix pythonmod for typedef changes. Fix dnstap for warning of set but not used. Fix autoconf of systemd check for lack of pkg-config. Unbound 1.6.0 Download: unbound-1.6.0.tar.gz SHA1 checksum: 9b7606b016b447dc837efc108cee94f3fecf4ede SHA256 checksum: 6b7db874e6debda742fee8869d722e5a17faf1086e93c911b8564532aeeffab7 PGP signature: unbound-1.6.0.tar.gz.asc Date: 15 Dec, 2016 Features Added generic EDNS code for registering known EDNS option codes, bypassing the cache response stage and uniquifying mesh states. Four EDNS option lists were added to module_qstate (module_qstate.edns_opts_*) to store EDNS options from/to front/back side. Added two flags to module_qstate (no_cache_lookup, no_cache_store) that control the modules' cache interactions. Added code for registering inplace callback functions. The registered functions can be called just before replying with local data or Chaos, replying from cache, replying with SERVFAIL, replying with a resolved query, sending a query to a nameserver. The functions can inspect the available data and maybe change response/query related data (i.e. append EDNS options). Updated Python module for the above. Updated Python documentation. Added views functionality. Added qname-minimisation-strict config option. Patch that resolves CNAMEs entered in local-data conf statements that point to data on the internet, from Jinmei Tatuya (Infoblox). serve-expired config option: serve expired responses with TTL 0. .gitattributes line for githubs code language display. log-identity: config option to set sys log identity, patch from "Robin H. Johnson" (robbat2@gentoo.org). Added stub-ssl-upstream and forward-ssl-upstream options. Added local-zones and local-data bulk addition and removal functionality in unbound-control (local_zones, local_zones_remove, local_datas and local_datas_remove). Bug Fixes Fix #836: unbound could echo back EDNS options in an error response. Fix #838: 1.5.10 cannot be built on Solaris, undefined PATH_MAX. Fix #839: Memory grows unexpectedly with large RPZ files. Fix #840: infinite loop in unbound_munin_ plugin on unowned lockfile. Fix #841: big local-zone's make it consume large amounts of memory. Fix dnstap relaying "random" messages instead of resolver/forwarder responses, from Nikolay Edigaryev. Fix Nits for 1.5.10 reported by Dag-Erling Smorgrav. Fix #1117: spelling errors, from Robert Edmonds. iana portlist update. fix memoryleak logfile when in debug mode. Re-fix #839 from view commit overwrite. Fixup const void cast warning. Removed patch comments from acllist.c and msgencode.c Added documentation doc/CNAME-basedRedirectionDesignNotes.pdf, from Jinmei Tatuya (Infoblox). Fix #1125: unbound could reuse an answer packet incorrectly for clients with different EDNS parameters, from Jinmei Tatuya. Fix #1118: libunbound.pc sets strange Libs, Libs.private values. Added Requires line to libunbound.pc Fix #1130: whitespace in example.conf.in more consistent. suppress compile warning in lex files. init lzt variable, for older gcc compiler warnings. fix --enable-dsa to work, instead of copying ecdsa enable. Fix DNSSEC validation of query type ANY with DNAME answers. Fixup query_info local_alias init. Ported tests for local_cname unit test to testbound framework. g.root-servers.net has AAAA address. Fix #1134: unbound-control set_option -- val-override-date: -1 works immediately to ignore datetime, or back to 0 to enable it again. The -- is to ignore the '-1' as an option flag. Patch for server.num.zero_ttl stats for count of expired replies, from Pavel Odintsov. Fix failure to build on arm64 with no sbrk. Set OpenSSL security level to 0 when using aNULL ciphers. configure detects ssl security level API function in the autoconf manner. Every function on its own, so that other libraries (eg. LibreSSL) can develop their API without hindrance. Fix #1154: segfault when reading config with duplicate zones. Note that for harden-below-nxdomain the nxdomain must be secure, this means nsec3 with optout is insufficient. Fix #1155: test status code of unbound-control in 04-checkconf, not the status code from the tee command. Fix #1158: reference RFC 8020 "NXDOMAIN: There Really Is Nothing Underneath" for the harden-below-nxdomain option. patch from Dag-Erling Smorgrav that removes code that relies on sbrk(). Make access-control-tag-data RDATA absolute. This makes the RDATA origin consistent between local-data and access-control-tag-data. Fix NSEC ENT wildcard check. Matching wildcard does not have to be a subdomain of the NSEC owner. QNAME minimisation uses QTYPE=A, therefore always check cache for this type in harden-below-nxdomain functionality. Added unit test for QNAME minimisation + harden below nxdomain synergy. Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using no encryption over the unix socket. hyphen as minus fix, by Andreas Schulze Fix #1170: document that 'inform' local-zone uses local-data. Fix #1173: differ local-zone type deny from unset tag_actions element. Add DSA support for OpenSSL 1.1.0 Fix remote control without cert for LibreSSL Fix downcast warnings from visual studio in sldns code. Unbound 1.5.10 Download: unbound-1.5.10.tar.gz SHA1 checksum: 6102849c400db3a4195b1f16df8f312568a6ec57 SHA256 checksum: a39b8b4fcca2a2b35a2daa53fe35150cc3f09038dc9acede09c912fc248a9486 PGP signature: unbound-1.5.10.tar.gz.asc Date: 27 Sep, 2016 Features Create a pkg-config file for libunbound in contrib. TCP Fast open patch from Sara Dickinson. Finegrained localzone control with define-tag, access-control-tag, access-control-tag-action, access-control-tag-data, local-zone-tag, and local-zone-override. And added types always_transparent, always_refuse, always_nxdomain with that. If more than half of tcp connections are in use, a shorter timeout is used (200 msec, vs 2 minutes) to pressure tcp for new connects. [bugzilla: 787 ] Fix #787: outgoing-interface netblock/64 ipv6 option to use linux freebind to use 64bits of entropy for every query with random local part. For #787: prefer-ip6 option for unbound.conf prefers to send upstream queries to ipv6 servers. Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e. keep debug symbols in windows build. Bug Fixes [bugzilla: 778 ] Fix unbound 1.5.9: -h segfault (null deref). Fix unbound-anchor.exe file location defaults to Program Files with (x86) appended. Fix to not ignore return value of chown() in daemon startup. Better help text from -h (from Ray Griffith). [bugzilla: 773 ] Fix Non-standard Python location build failure with pyunbound. Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures. Revert fix for NetworkService account on windows due to breakage it causes. Fix that windows install will not overwrite existing service.conf file (and ignore gui config choices if it exists). And delete service.conf.shipped on uninstall. In unbound.conf directory: dir immediately changes to that directory, so that include: file below that is relative to that directory. With chroot, make the directory an absolute path inside chroot. do not delete service.conf on windows uninstall. document directory immediate fix and allow EXECUTABLE syntax in it on windows. Fix directory: fix for unbound-checkconf, it restores cwd. Use QTYPE=A for QNAME minimisation. Keep track of number of time-outs when performing QNAME minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE pair is more than three. [bugzilla: 775 ] Fix unbound-host and unbound-anchor crash on windows, ignore null delete for wsaevent. Fix spelling in freebind option man page text. Fix windows link of ssl with crypt32. [bugzilla: 779 ] Fix Union casting is non-portable. [bugzilla: 780 ] Fix MAP_ANON not defined in HP-UX 11.31. [bugzilla: 781 ] Fix prealloc() is an HP-UX system library call. Decrease dp attempts at each QNAME minimisation iteration [bugzilla: 784 ] Fix Build configure assumess that having getpwnam means there is endpwent function available. Updated repository with newer flex and bison output. Fix static compile on windows missing gdi32. Fix dynamic link of anchor-update.exe on windows. Fix detect of mingw for MXE package build. Fixes for 64bit windows compile. [bugzilla: 788 ] Fix for nettle 3.0: Failed to build with Nettle >= 3.0 and --with-libunbound-only --with-nettle. Fixed unbound.doxygen for 1.8.11. [bugzilla: 798 ] Fix Client-side TCP fast open fails (Linux). [bugzilla: 801 ] Fix missing error condition handling in daemon_create_workers(). [bugzilla: 802 ] Fix workaround for function parameters that are "unused" without log_assert. [bugzilla: 803 ] Fix confusing (and incorrect) code comment in daemon_cleanup(). [bugzilla: 806 ] Fix wrong comment removed. use sendmsg instead of sendto for TFO. [bugzilla: 807 ] Fix workaround for possible some "unused" function parameters in test code, from Jinmei Tatuya. Note that OPENPGPKEY type is RFC 7929. [bugzilla: 804 ] Fix #804: unbound stops responding after outage. Fixes queries that attempt to wait for an empty list of subqueries. Fix for #804: lower num_target_queries for iterator also for failed lookups. [bugzilla: 820 ] Fix set sldns_str2wire_rr_buf() dual meaning len parameter in each iteration in find_tag_datas(). [bugzilla: 777 ] Fix OpenSSL 1.1.0 compatibility, patch from Sebastian A. Siewior. RFC 7958 is now out, updated docs for unbound-anchor. Fix for compile without warnings with openssl 1.1.0. [bugzilla: 826 ] Fix refuse_non_local could result in a broken response. iana portlist update. Fix compile with openssl 1.1.0 with api=1.1.0. [bugzilla: 829 ] Fix doc of sldns_wire2str_rdata_buf() return value has an off-by-one typo, from Jinmei Tatuya (Infoblox). Fix incomplete prototypes reported by Dag-Erling Smørgrav. [bugzilla: 828 ] Fix missing type in access-control-tag-action redirect results in NXDOMAIN. Take configured minimum TTL into consideration when reducing TTL to original TTL from RRSIG. [bugzilla: 831 ] Fix workaround for spurious fread_chk warning against petal.c Silenced flex-generated sign-unsigned warning print with gcc diagnostic pragma. Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len. fix potential memory leak in daemon/remote.c and nullpointer dereference in validator/autotrust. [bugzilla: 883 ] Fix error for duplicate local zone entry. [bugzilla: 835 ] Fix --disable-dsa with nettle verify.
|