github NLnetLabs/unbound release-1.25.0
Unbound 1.25.0
on GitHub

6 hours ago

Unbound 1.25.0

This release has some features and a number of bug fixes.

The release is signed with the OpenPGP software signing key that is
in use since Jan 1st 2026: 

User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from https://nlnetlabs.nl/signing-keys .

For cached records, the last second when they reach a lifetime of 0
is treated differently, the 0 value is expired. The client does not see
a 0 TTL value that was not zero originally.

For the mesh reply count, there are added statistics counters.
The num.queries.replyaddr_limit value notes the number of queries
removed due to replyaddr limits, and requestlist.current.replies tracks
the current amount.

With log-thread-id the Linux thread id can be logged, for easier
debugging. The contrib/gost12.patch adds ECC-GOST12 support, it was
contributed by Igor V. Ruzanov.

For DNAME TTL 0 items, that are received as 0 TTL items, their
synthesized responses can be served within a 1 second grace period.
This reduces recursion when authoritative servers set TTL 0 on DNAMEs.

The reload and fast_reload commands can change the TLS certificates
if the files are changed. The tls-protocols option allows to set
which tls protolocs are available, with "TLSv1.2 TLSv1.3" enabled
by default.

If pthread_setname or similar is available, it is used to give
descriptive names to the threads of unbound, when using pthreads.

There is a new option, iter-scrub-rrsig: 8, that limits the
number of RRSIGs for RRsets. This protects against overly
large numbers of RRSIGs. The default of 8 is the same as the
amount of signatures that the validator verifies. Thanks to
Yuxiao Wu, Tsinghua University for the report.

There is a fix for a local privilege escalation on Windows.
It fixes the OpenSSL init calls, to not load openssl.cnf for
Windows. Thanks to Hao Huang and CrisprXiang with Fudan University
for the report.

There is a fix to elide SVCB and HTTPS records that match
the private-address filter. It fixes a DNS Rebinding Bypass
via SVCB/HTTPS Records in Unbound. Thanks to Kunta Chu, School
of Software, Tsinghua University, Taofei Guo, Peking
University, and Jianjun Chen, Institute for Network Sciences
and Cyberspace, Tsinghua University for the report.

There is a fix to to ignore out-of-zone DNAME records for
CNAME synthesis. Thanks to Yuxiao Wu, Yiyi Wang, Zhang Chao,
Baojun Liu, and Haixin Duan from Tsinghua University.

There is a fix to check for invalid http content length and chunk
size, and to check the RR rdata field lengths when decompressing and
inserting RRs from an authority zone transfer. This stops
large memory use and heap buffer-overflow read errors. Thanks
to Haruto Kimura (Stella) for the report.

In addition, there is a fix to improve RFC7766 compliance for
responses over TCP. When the client sends EOF over TCP, it stops
pending replies and closes immediately. Thanks to Yuxiao Wu,
Tsinghua University for the report.

There is a fix for the Jiggle Attack. The server is fixed to answer
with errors for error cases, and does not stay silent.
In addition, the error replies do not contain parts of the
incoming query. This is more conformant, stops reflection
and stops it as a covert channel. Thanks to Yuqi Qiu and
Xiang Li, Nankai University (AOSP Lab) for the report.
In addition, thanks to Qifan Zhang, Palo Alto Networks, for
noting the fingerprinting possibility, that is also fixed
with this.

There is a fix for EDNS extended RCODE reflection. This fixes that
the server does not echo extended rcode values after class
chaos queries. Thanks to Qifan Zhang, Palo Alto Networks
for the report.

There is a fix for iterator RCODE handling of YXDOMAIN. This fixes
that the server only accepts YXDOMAIN answers that contain
a DNAME record. This stops bad answers, and checks that
the authoritative server gives correct replies.
Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for a missing bounds check for decompressing dnames
for downloaded authority zones. This fixes that the server
could end up with malformed zone content after receiving
truncated packet contents from an AXFR. In addition, the
domain names in the SOA rdata are checked before the
authority code picks up the zone serial. Thanks to Halil Oktay
for the report.

There is a fix for upstream TLS connections, so that they are
not reused as TLS connections for a different name, at the same
IP. This checks that the tls name is correct when reusing the
upstream connections. Thanks to TaoFei Guo from Peking University
and JianJun Chen from Tsinghua University for the report.

There is a fix that signatures are not allowed with revoked
dnskeys. This adheres to the processing rules from RFC5011.
Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for checking that a DNAME with an unsigned CNAME has
a correct match. This stops that for certain zone configurations an
unchecked unsigned CNAME could get secure status. Thanks to Qifan
Zhang, Palo Alto Networks for the report.

There is a fix for the handling of wildcard CNAMEs in the chain
of trust. An improper wildcard in the chain of trust would send the
retries to the wrong upstream. Also it could label the step in the
chain of trust as secure, when it was not. Thanks to Qifan Zhang,
Palo Alto Networks for the report.

Compared to the rc1, the release contains a fix for a buffer overrun
in the DoQ code.

Features

  • Merge #1337: 0 TTL cached replies and some TTL behavior changes.
  • TTL change: Cached records that reach TTL 0 are expired.
  • TTL change: TTL 0 upstream answers are no longer cached by
    cachedb, as they should.
  • TTL change: 'serve-expired-reply-ttl' is now capped by the original
    TTL value of the record to try and make some sense when replying
    with expired records.
  • TTL change: TTL decoding was updated to adhere to RFC8767 section 4
    where a 'set high-order bit' means the value is positive instead of
    0.
  • Merge #1374: Mesh reply counters.
    This adds the statistics num.queries.replyaddr_limit and
    requestlist.current.replies.
  • Introduce the 'log-thread-id' configuration option to manage logging
    the system-wide Linux thread ID for easier debugging with system
    tools.
  • Fix #1389: [FR] replacement with ECC-GOST12 according to RFC9558.
    Patch contributed by Igor V. Ruzanov, available in
    contrib/gost12.patch.
  • Merge #1411: Allow synthesized DNAME TTL=0 to be served from cache
    within grace period. The responses are served from cache within
    a 1-second grace period. Reduces recursion when authoritative
    servers return DNAME with TTL=0 (RFC 2308). Response
    still returns TTL=0 to clients. Adds a test for it.
  • Fix #278: DoT: complete unbound restart required on certificate
    renew. Fix so that a reload checks if the files have changed, and
    if so, reload the contexts. Also for DoH, DoQ and outgoing DoT.
  • For #278: fast_reload can reload tls-service-key, tls-service-pem
    and tls-cert-bundle changes. It checks the modification time of
    the tls-service-key and tls-service-pem files for update.
  • Fix to allow the control-interface config to use ip@port notation.
  • Fix to shorten RRSIG count in scrubber, this protects against
    an overly large number of RRSIGs. It can be configured with
    iter-scrub-rrsig: 8, it has default 8. Thanks to Yuxiao Wu,
    Tsinghua University for the report.
  • Introduce new 'tls-protocols' configuration option that specifies
    which of the supported TLS protocols will be used.
    TLSv1.2 is again enabled by default, but can be selectively turned
    off if desired (related to #1303).
  • Merge #1400: Support pthread_setname_np. Adds support for
    pthread_setname_np and variants to set the name on spawned threads
    for easier debugging/monitoring.

Bug Fixes

  • Update README.man with clearer text.
  • unbound.conf manpage: explicitly mention RFC6891.
  • Fix to remove configure~ from release tarballs.
  • Merge #1352 from Petr Vaganov: pythonmod: fix HANDLE_LEAK on
    pythonmod_init.
  • For #1352, align with the current Python<3 code.
  • Merge #1350 from Maryse47: unbound.service.in: allow CAP_NET_ADMIN.
  • For #1350, same CAP_NET_ADMIN change for unbound_portable.service.in
    as well.
  • Avoid calling mesh_detect_cycle_found() when there is no mesh state
    to begin with.
  • Test for nonstring attribute in configure and add
    nonstring attribute annotations.
  • Merge #1349: Fix #1346: [FR] Please allow back TLS 1.2.
  • Merge #1351: ac_cv_func_malloc_0_nonnull for malloc(0) check.
  • Rebuild configure script from its sources.
  • Fix modstack_call_init to use the original string when it has
    changed, to call modstack_config with. And skip the changed name
    in the string correctly. Thanks to Jan Komissar.
  • Neaten up the change in acx_nlnetlabs.m4 to version 49.
  • Fix fr_atomic_copy_cfg.
  • Rebuild configure script from its sources.
  • Fix #1353: auth-zone can not use empty label for $ORIGIN when
    http download.
  • Fix #1344: module conf 'respip dns64 validator cachedb iterator'
    is not known to work.
  • Fix for #1344: Fix that respip and dns64 can be enabled at the
    same time, the client info is copied for attach_sub and add_sub
    calls. That makes respip work on dns64 synthesized answers, and
    also makes RPZ work with DNS64. The order for the modules is
    module-config: "respip dns64 validator iterator".
  • Fix that https is set up as enabled when the port is listed in
    interface-automatic-ports. Also for the set up of quic it is
    enabled when listed there.
  • Note 'respip' and 'dns64' module order in the unbound.conf
    man page.
  • Note clearly that 'wait-limit: 0' disables all wait limits.
  • 'wait-limit-cookie: 0' can now disable cookie validated wait
    limits.
  • Fix #1358 Enabling FIPS in OpenSSL causes unit test to fail.
  • Fix to drop UDP for discard-timeout, but not stream connections.
  • Fix to reply with SERVFAIL when the wait-limit is exceeded.
  • Add extended dns error code for invalid query type to definition
    list.
  • Fix unbound.conf man page entry for root-hints to say it can
    be used without strongly recommending it.
  • Remove iPhone armv7s, and iPhoneSimulator i386 from ios ci.
    The lib system does not provide symbols for it on the new macos
    runner.
  • Fix to exclude libssp for windows compiles.
  • unbound.conf man page updates to include a preview of the section
    clauses and some reformatting around the use of "clause", "option"
    and "attributes". Based on Havard Eidnes' suggestions on the
    mailing list.
  • Fix unused attribute warning in redis.c when threads are not
    supported.
  • For #1364, use OPENSSL_VERSION_TEXT instead of OPENSSL_VERSION_NUMBER
    for part of the configure script. OPENSSL_VERSION_TEXT is more
    consistent across versions.
  • Merge #1331 from Jitka Plesníková: Replace deprecated $function by
    new $action, for SWIG.
  • Fix #1165, document the possible circular dependency when using
    host names instead of IP addresses for name servers in stub/forward
    zones and log a warning when spotted in the configuration.
  • Fix #1366: Infra cache does not work correctly for NAT64, by
    moving the NAT64 synthesis from the iterator when selecting a target
    address, to the delegation point itself when adding target
    addresses.
  • Fix dns64 log output to log the default instead of a null string.
  • Fix add comment to worker_handle_request function that explain it.
  • Fix configure test for noreturn attribute so it compiles without
    warning.
  • Fix configure test for nonstring attribute so that it does not
    accept when the compiler prints a warning about an unknown
    attribute.
  • Fix that when discard timeout drops packet, they are accounted as
    less reply addresses in use in the mesh area.
  • iana portlist updated.
  • Merge #1375: Copy DNSTAP changes from daemon to workers after
    fast_reload.
  • For #1375, there is no DNSTAP environment if it wasn't configured.
  • Fix to add EDNS CO flag to testbound and debug message log.
  • Fix header comment about EDE reference in validator/val_sigcrypt.h.
  • Fix to remove http2 stream mesh state when mesh new request is
    dropping the new request.
  • Fix http2 drop handling to clear the postpone_drop state so that
    other streams on the http2 session are not affected by a drop,
    and can clean up properly if also dropped. Fix http2 send reply
    so that when there is a send failure is does not recurse into
    the mesh functions and also does not drop the connection due to
    the condition of one stream.
  • More specific wording in the unbound.conf man page for stub-first
    and forward-first options.
  • Mark "THROWAWAY" and "(DNSSEC) LAME" responses clearly as Unbound's
    categorization in the log output.
  • Update the unbound-anchor man page to note write permissions of the
    generated file if it is to be used with Unbound's
    auto-trust-anchor-file option.
  • Use the same EDE removal logic when encoding errors as when encoding
    replies.
  • Merge #1391 from Götz Görisch: Fix documentation to adhere to
    RFC5952.
  • Fix edns subnet, that scope zero queries, when there is a
    subquery without subnet, and the forward-no-cache or
    stub-no-cache option is set, it is not stored in cache due to
    the forward or stub option.
  • Merge #1381: Do not initialize quic_table unless it is enabled.
  • Fix documentation for requestlist.overwritten and
    requestlist.exceeded, it explains which query was dropped.
  • Merge #1392: Include "V" (version) option in synopsis.
  • Merge #1388: QNX Porting support for unbound.
  • Fix that fast reload copies the iter_scrub_ns, iter_scrub_cname
    and max_global_quota options.
  • Fix http test tool petal to not print errors when there is no
    error.
  • Merge #1396: Log Linux thread ID.
  • On Linux systems log the system-wide unique thread ID instead of
    Unbound's internal thread counter.
  • Update generated man pages.
  • Fix that allow-notify entries with hostnames are copied after IPv4
    and IPv6 lookup.
  • Fix to not skip allow-notify hostname lookups when there are only
    urls.
  • Add test for allow-notify with a host name.
  • Eagerly remove .skip mark files in between mini_tdir.sh runs in case
    there has been a change on the environment.
  • Fix local privilege escalation on Windows. Thanks to Hao Huang and
    CrisprXiang with Fudan University for the report. The OpenSSL
    init calls are set to not load the openssl.cnf file when compiled
    for Windows.
  • Merge #1401: Add a new build-time option for system TLS.
    The --enable-system-tls flag enables the
    tls-use-system-policy-versions setting by default.
  • Update generated man pages.
  • Fix #1403: Inconsistency between do-nat64 and do-not-query-address
    during retries.
  • Fix that cachedb aggressive negative responses have the RA flag set.
  • Fix #1404: Priming the root key fails after loading ipfire.org RPZ
    zones. Fixed by including the ZONEMD RRtype in the list of types to
    ignore for RPZ zones. Analysis and patch provided by ummeegge.
  • Fix to remove unused conditional from cookie timestamp at
    worker env.
  • For #1405: local-zone always_refuse also blocks queries of type DS.
  • Fix to disallow cache lookup/store in external cachedb when a
    forwarder/stub forbids it with the no-cache option.
  • Fixed some typos reported in #1395 by rezky_nightky.
  • Fix to have cachedb not return expired bogus data as non-bogus.
  • Fix to make the cachedb_val_expired.crpl succeed.
  • Fix validator to set unchecked when validation recursion
    requests are passed. The edns subnet module checks if validation
    is needed for a cache response, and set the validator to protect
    the cache with validation for non-subnet lookups.
  • Merge #1409: Documentation CNAME in redirect-type local-zone.
  • Update generated man pages.
  • For #1411: Fix that the lookup for DNAME uses flag. Fix assertion
    in expired calc debug routine.
  • For #1411: Introduce a failing case in the rpl test so that it only
    passes with the fix in place.
  • Fix for DNS Rebinding Bypass via SVCB/HTTPS Records in Unbound.
    Thanks to Kunta Chu, School of Software, Tsinghua University,
    Taofei Guo, Peking University, and Jianjun Chen, Institute for
    Network Sciences and Cyberspace, Tsinghua University for the
    report. The private-address option is fixed to also elide
    SVCB and HTTPS records that match the filter.
  • Update generated man pages.
  • Document the suggestion for a higher value for 'outgoing-range';
    helps when the request list is full.
  • Warn for unused 'nodefault' local-zone configuration in
    unbound-checkconf (related to #1416).
  • Merge #1415: Add lock unlock for view in memory error handling.
  • Fix compile failure in unbound-checkconf for older gcc compiler.
  • Merge #1418: Apply cache TTL policy to DNAME and synthesized
    CNAME on wire path.
  • iana portlist updated.
  • Fix detection of http listening port in fast_reload.
  • Fix to add tls-service-key to memory printout for fast_reload.
  • Fix to ignore out-of-zone DNAME records for CNAME synthesis. Thanks
    to Yuxiao Wu, Yiyi Wang, Zhang Chao, Baojun Liu, and Haixin Duan from
    Tsinghua University.
  • Fix for testcode pktview to check buffer size and log errors.
  • Fix to check for invalid http content length and chunk size,
    and to check the RR rdata field lengths when decompressing and
    inserting RRs from an authority zone transfer. This stops
    large memory use and heap buffer-overflow read errors. Thanks
    to Haruto Kimura (Stella) for the report.
  • Fix test code to allow empty hex answer packets from testbound.
  • Fix defense in depth for service callback with empty packet.
  • Merge #1408: Fix shared memory stats with threads.
  • Fix unused variable warning.
  • Fix for EDNS client subnet so that it does not store SERVFAIL in
    the global cache after a failed lookup, such as timeouts. A failure
    entry is stored in the subnet cache, for the query name, for a
    couple of seconds. Queries can continue to use the subnet cache
    during that time.
  • Update the documentation of 'max-query-restarts' in the man page.
  • Fix #1017: memory corruption related core dumps.
    When alloc_reg_obtain has an empty list, return a new allocation.
  • Fix clang analyzer warning for subnetmod, when return_msg is
    NULL for update cache, like when it stores servfail status.
  • iana portlist updated.
  • Fix RFC7766 compliance when client sends EOF over TCP. It stops
    pending replies and closes. Thanks to Yuxiao Wu, Tsinghua
    University for the report.
  • Fix configure, autoconf for #1406.
  • Merge #1406: Introduce new 'tls-protocols' configuration option.
  • Introduce new 'tls-protocols' configuration option that specifies
    which of the supported TLS protocols will be used.
    This change invalidates some previous changes:
  • TLSv1.2 is again enabled by default, but can be selectively turned
    off if desired (related to #1303).
  • The biefly introduced (not yet released) 'tls-use-system-versions'
    configuration option, that addressed #1346, is reverted in favor of
    'tls-protocols'.
  • The briefly introduced (not yet released) '--enable-system-tls'
    configure option, related to #1401, is no longer needed with the new
    option and the current default.
  • Fix cleaning up DoH session. The same query can be on multiple
    streams in a session.
  • Fix setup of ssl context copy of the tls service pem option,
    from a clang analyzer warning.
  • Fix setup of ssl context copy, to check for the tls service
    pem option for stat calls.
  • Fix to compile the shm code when there is no shmget.
  • Update github ci to use actions/checkout@v6.
  • Update github ci cross platform to use
    cross-platform-actions/action@v1.0.0.
  • Fix github ci to speed up with parralel build, for windows ci.
  • Fix compat/chacha_private sigma and tau definitions to use
    nonstring attribute.
  • Fix compat/gmtime_r old style definition syntax.
  • Fix to increase size of the buffer for the win_svc reportev log
    function.
  • Fix ttl comparisons in rdata_copy for 32bit signed or unsigned.
  • Fix subnet store of servfail to not leak memory.
  • Update generated man pages.
  • Update generated configure, with autoconf.
  • Fix pthread_setname detection to fail on warnings.
  • Fix compile warnings for thread setname routine, and test compile.
  • Fix unused variable warning when compiled without ssl.
  • Fix test with https zone for libressl.
  • Add test case for malformed SVCB records. Thanks to
    Qifan Zhang, Palo Alto Networks for the additional test.
  • Fix for the Jiggle Attack. The server is fixed to answer
    with errors for error cases, and does not stay silent.
    In addition, the error replies do not contain parts of the
    incoming query. This is more conformant, stops reflection
    and stops it as a covert channel. Thanks to Yuqi Qiu and
    Xiang Li, Nankai University (AOSP Lab) for the report.
    In addition, thanks to Qifan Zhang, Palo Alto Networks, for
    noting the fingerprinting possibility, that is also fixed
    with this.
  • Fix EDNS extended RCODE reflection. This fixes that
    the server does not echo extended rcode values after class
    chaos queries. Thanks to Qifan Zhang, Palo Alto Networks
    for the report.
  • Fix for iterator RCODE handling of YXDOMAIN. This fixes
    that the server only accepts YXDOMAIN answers that contain
    a DNAME record. This stops bad answers, and checks that
    the authoritative server gives correct replies.
    Thanks to Qifan Zhang, Palo Alto Networks for the report.
  • Fix for missing bounds check for decompressing dnames
    for downloaded authority zones. This fixes that the server
    could end up with malformed zone content after receiving
    truncated packet contents from an AXFR. In addition, the
    domain names in the SOA rdata are checked before the
    authority code picks up the zone serial.
    Thanks to Halil Oktay for the report.
  • Fix that upstream TLS connections are not reused as TLS
    connections for a different name, at the same IP. This
    checks that the tls name is correct when reusing the
    upstream connections. Thanks to TaoFei Guo from Peking
    University and JianJun Chen from Tsinghua University for
    the report.
  • Fix that signatures are not allowed with revoked dnskeys.
    Thanks to Qifan Zhang, Palo Alto Networks for the report.
  • Fix that a DNAME with an unsigned CNAME is checked for
    the correct match. This stops that for certain zone
    configurations an unchecked unsigned CNAME could get
    secure status. Thanks to Qifan Zhang, Palo Alto Networks
    for the report.
  • Fix handling of wildcard CNAMEs in the chain of trust.
    An improper wildcard in the chain of trust would send
    the retries to the wrong upstream. Also it could label
    the step in the chain of trust as secure, when it was not.
    Thanks to Qifan Zhang, Palo Alto Networks for the report.
  • Fix doxygen comment syntax.
  • Merge #1441: Fix buffer overrun in
    doq_repinfo_retrieve_localaddr().
  • For #1441: Fix type of ipv6 addr struct.
Check out latest releases or
releases around NLnetLabs/unbound release-1.25.0

Don't miss a new unbound release

NewReleases is sending notifications on new releases.

Get notifications