This security release fixes CVE-2025-11411.
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.
The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
Duan from Tsinghua University for discovering and responsibly disclosing
the vulnerability.
Bug Fixes:
- Fix CVE-2025-11411 (possible domain hijacking attack), reported by
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua
University.