Tags

gen_1.24.1_v0.1.0

release-1.24.2

Unbound 1.24.2

This security release has additional fixes for CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt

Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and
their respective address records) from replies mitigating the possible
poison effect.

Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS
RRSets (and their respective address records) from YXDOMAIN and
non-referral nodata replies as well, mitigating the possible poison
effect.

We would like to thank TaoFei Guo from Peking University, Yang Luo and
JianJun Chen from Tsinghua University for discovering and responsibly
disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.

Bug Fixes:
- Additional fix for CVE-2025-11411 (possible domain hijacking attack),
  to include YXDOMAIN and non-referral nodata answers in the mitigation
  as well, reported by TaoFei Guo from Peking University, Yang Luo and
  JianJun Chen from Tsinghua University.

release-1.24.1

Unbound 1.24.1

This security release fixes CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt

We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
Duan from Tsinghua University for discovering and responsibly disclosing
the vulnerability.

Bug Fixes:
- Fix CVE-2025-11411 (possible domain hijacking attack), reported by
  Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua
  University.

release-1.24.0

Unbound 1.24.0

This release features increased defaults, num.valops statistic,
unbound-control cache_lookup, and bug fixes.

The default value increase for num-queries-per-thread is to make
saturation of the task queue more resource intensive and less
practical. Thanks to Shiming Liu, Network and Information Security
Lab, Tsinghua University for the report.

The default value increase for so-sndbuf is to mitigate a cross-layer
issue where the UDP socket send buffers are exhausted waiting for
ARP/NDP resolution. Thanks to Reflyable for the report.

To help the server start more easily, the setsockopt for sndbuf buffer
size prints a warning instead of a failure to start the server if it
can not set the buffer size.

Various cache -slabs options are auto-configured if not specified
in the config file. It uses a power of two close to the number of
threads. When the option is specified in the config file that value
is used instead.

An extra statistic is added to track the number of signature validation
operations by the validator, `num.valops`.

The unbound-control `cache_lookup` command prints cache information for
names in the domain given. This prints similar to dump_cache, but only
names under the zone(s) specified. Because of that it locks the caches
for a much shorter time, and this is good for server responsiveness.

The `sock-queue-timeout` option is adapted to work on FreeBSD as well
as Linux.

Features
- Increase default to `num-queries-per-thread: 2048`, when unbound is
  compiled with libevent. It makes saturation of the task queue more
  resource intensive and less practical. Thanks to Shiming Liu,
  Network and Information Security Lab, Tsinghua University for the
  report.
- Merge #1276: Auto-configure '-slabs' values.
- Change default for so-sndbuf to 1m, to mitigate a cross-layer
  issue where the UDP socket send buffers are exhausted waiting
  for ARP/NDP resolution. Thanks to Reflyable for the report.
- Adjusted so-sndbuf default to 4m.
- Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to
  track the number of signature validation operations.
  Adds 'num.valops' to extended statistics.
- Fix #1303: [FR] Disable TLSv1.2.
- unbound-control cache_lookup <domains> prints the cached rrsets
  and messages for those.
- unbound-control cache_lookup +t allows tld and root names. And
  subnet cache contents are printed.
- Fix #1319: [FR] zone status for Unbound auth-zones.

Bug Fixes
- Fix #1272: assertion failure testcode/unitverify.c:202.
- Merge #1275: Use macros for the fr_check_changed* functions.
- Fix for parallel build of dnstap protoc-c output.
- Fix dnstap to use protoc.
- Sync unbound and unbound-checkconf log output for unknown modules.
- Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ."
  in 1.23.0, but worked in 1.22.0.
- Fix #1283: Unsafe usage of atoi() while parsing the configuration
  file.
- Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
  broken auth zones that include unsigned out of zone (above apex)
  data. Could lead to hang while trying to prove a wildcard answer.
- Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
  by adding a log_assert() to safeguard future development.
- Fix #1282: log-destaddr fail on long ipv6 addresses.
- Fix config of slab values when there is no config file.
- Fix for cname chain length with qtype ANY and qname minimisation.
  Thanks to Jim Greenwood from Nominet for the report.
- Merge #1285:  RST man pages. It introduces restructuredText man pages
  to sync the online and source code man page documentation.
  The templated man pages (*.in) are still part of the repo but
  generated with docutils from their .rst counterpart.
  Documentation on how to generate those (mainly for core developers)
  is in README.man.
- Add more checks about respip in unbound-checkconf.
  Also fixes #310: unbound-checkconf not reporting RPZ configuration
  error.
- Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound
  program.
- Small manpage corrections for the 'disable-dnssec-lame-check' option.
- Fix unbound-anchor certificate file read for line ends and end of
  file.
- Fix comment for the dname_remove_label_limit_len function.
- iana portlist updated.
- Fix bitwise operators in conditional expressions with parentheses.
- Fix conditional expressions with parentheses for bitwise and.
- Fix header return value description for skip_pkt_rrs and
  parse_edns_from_query_pkt.
- Fix to check control-interface addresses in unbound-checkconf.
- Fix #1295: Windows 32-bit binaries download seems to be missing dll
  dependency.
- Fix for consistent use of local zone CNAME alias for configured auth
  zones. Now it also applies to downstream configured auth zones.
- Fix #1296: DNS over QUIC depends on a very outdated version of
  ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
- Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
- Fix rrset cache create allocation failure case.
- Fix #1293: EDE 6 is attached to insecure cached answers when client
  sends the CD bit.
- Fix #1247: forward-first: ssl handshake failed on root nameservers.
- For #1247, turn off fetch-policy for delegation when looking into
  parent side name servers that may not update the addresses and hit
  NXNS limits.
- For #1247, replay test (added tcp_transport to
  outnet_serviced_query).
- Merge #1299: Fix typos.
- Generate ltmain.sh and configure again.
- Fix #1300: Is 'sock-queue-timeout' a linux only feature.
- For #1300: implement sock-queue-timeout for FreeBSD as well.
- Fix layout of comm_point_udp_ancil_callback.
- Fix to improve dnstap discovery on Fedora.
- Fix detection of SSL_CTX_set_tmp_ecdh function.
- For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
- For #1289: test num.valops in existing stat_values.tdir.
- For #1289: add num.valops in the unbound-control man page.
- Add unit tests for non-ecs aggregation.
- Fix to not set rlimits in the unit tests.
- iana portlist updated.
- Redis checks for server down and throttles reconnects.
- Fix redis cachedb module gettimeofday init failure.
- Fix testbound test program to accurately output packets from hex.
- Fix #1309: incorrectly reclaimed tcp handler can cause data
  corruption and segfault.
- Fix to use assertions for consistency checks in #1309 reclaimed
  tcp handlers.
- Fix edns subnet, so that the subquery without subnet is stored in
  global cache if the querier used 0.0.0.0/0 and the name and address
  do not receive subnet treatment. If the name and address are
  configured for subnet, it is stored in the subnet cache.
- Fix dname_str for printout of long names. Thanks to Jan Komissar
  for the fix.
- Fix that edns-subnet failure to create a subquery errors as
  servfail, and not formerror.
- Fix to whitespace in dname_str.
- Fix that unbound-control dump_cache releases the cache locks
  every so often, so that the server stays responsive.
- Fix to remove debug from cache_lookup.
- Fix to unlock cache_lookup message for malformed records.
- Fix to increase responsiveness of dump_cache.
- Fix to decouple file descriptor activity and cache lookups in
  dump_cache.
- Fix cache_lookup subnet printout to wipe zero part of the prefix.
- Fix cache_lookup subnet print to not print messages without rrsets
  and perform in-depth check on node in the addrtree.
- Fix to check for extraneous command arguments for unbound-control,
  when the command takes no arguments but there are arguments present.
- Fix #1317: Unbound starts too early. Add
  Wants=network-online.target under [Unit] in unbound.service.
- Fix for #1317: Fix contrib/unbound.service comment path for
  systemd network configuration.
- For #1318: Fix compile warnings for DoH compile on windows.
- Fix sha1 enable environment variable in test code on windows.
- Fix that the zone acquired timestamp is set after the
  zonefile is read.
- Fix ports workflow to install expat for macos.
- Fix unbound-control dump_cache for double unlock of lruhash table.
- Fix setup_listen_sslctx warning for nettle compile.
- Limit the number of consecutive reads on an HTTP/2 session.
  Thanks to Gal Bar Nahum for exposing the possibility of infinite
  reads on the session.
- Fix for #1324: Fix to free edns options scratch in ratelimit case.
- Fix #1235: Outdated Python2 code in
  unbound/pythonmod/examples/log.py.
- Fix #1324: Memory leak in 'msgparse.c' in
  'parse_edns_options_from_query(...)'.
- Fix indentation in tcp-mss option parsing.
- For #1328: make depend.
- Update documentation for using "SET ... EX" in Redis.
- Document max buffer sizes for Redis commands.
- Update man pages.
- Fix #1332: CNAME chains are sometimes not followed when RPZs add a
  local CNAME rewrite.
- Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
- Small debug output improvement when attaching an EDE.
- Fix to print warning for when so-sndbuf setsockopt is not granted.
- Too many quotes for the EDE message debug printout.

release-1.24.0rc1

Tag for Unbound 1.24.0rc1.

release-1.23.1

Unbound 1.23.1

This security release fixes the Rebirthday Attack CVE-2025-5994.

This re-opens up resolvers to a birthday paradox, for EDNS client subnet
servers that respond with non-ECS answers. It only affects Unbound when
compiled with --enable-subnet, and subnetmod is enabled with config
options that send ECS information to upstream servers.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt

We would like to thank Xiang Li (AOSP Lab, Nankai University) for
discovering and responsibly disclosing the vulnerability.

Bug Fixes:
- Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
  AOSP Lab Nankai University.

prpl/stable-1.22.y_v0.2.0

release-1.23.0

Unbound 1.23.0

This release features changed defaults, fast reload, redis replica,
DNS Error Reporting, and bug fixes.

The fast reload is a feature that is listed as experimental. With
`unbound-control fast_reload` the server can read the new config in
a thread, and when done only briefly pauses the server to update the
settings. This uses double memory, for like zones from disk or config
that is loaded. It only pauses the server, for like less than a second,
so DNS service is not interrupted by the reload of config. A lot of
config items can be changed, but not all. It has options to print
more information, or memory usage, and there is a list of config
options in the man page.

The redis replica support allows for a redis backend to use a redis
replica. The read commands are sent to the redis replica host, while
the write commands are sent to the redis server. So with several
replicas there can be more readers that all write to the redis server.

With DNS error reporting, RFC9567, enabled with
`dns-error-reporting: yes`, this uses the error reporting agent to send
failure reports to. The number of error reporting queries is output in
the statistics as `num.dns_error_reports`.

Some defaults are changed in this release. The `resolver.arpa.` and
`service.arpa.` zones are added to the default locally served zones,
this can be disabled with a nodefault local zone. The default for
`max-global-quota` has changed to 200, after operational feedback.
The defaults from RFC8767 are used by `serve-expired-client-timeout`
on 1800 milliseconds and `serve-expired-ttl` on 86400 seconds. If
Unbound is compiled with edns subnet, the default for module-config
is no longer altered, so that compilation with subnet does not
interfere when the server does not use subnet. When edns subnet needs
to be enabled, `module-config: "subnetcache validator iterator"` should
be explicitly set as configuration in the `server:` section.

If edns subnet is enabled, the default for
module-config is no longer altered, so that compilation with subnet
does not interfere when the server does not use subnet. When edns subnet
is in use, also `module-config: "subnetcache validator iterator"` should
be set as configuration in the `server:` section.

The RC2 has fixes for building on Solaris and portability to Windows,
and fixes a memory leak for DoH.

Features
- Increase the default of max-global-quota to 200 from 128 after
  operational feedback. Still keeping the possible amplification
  factor (CAMP related issues) in the hundreds.
- Fix #1175: serve-expired does not adhere to secure-by-default
  principle. The default value of serve-expired-client-timeout
  is set to 1800 as suggested by RFC8767.
- For #1175, the default value of serve-expired-ttl is set to 86400
  (1 day) as suggested by RFC8767.
- For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
  LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
- Add resolver.arpa and service.arpa to the default locally served
  zones.
- Merge #1042: Fast Reload. The unbound-control fast_reload is added.
  It reads changed config in a thread, then only briefly pauses the
  service threads, that keep running. DNS service is only interrupted
  briefly, less than a second.
- Merge #1019: Redis read-only replica support.
  Introduces new 'redis-replica-*' options for the Redis cache backend.
- Merge #902: DNS Error Reporting (RFC 9567). Introduces new
  configuration option 'dns-error-reporting' and new statistics for
  'num.dns_error_reports'.

Bug Fixes
- Fix #1154: Tag Incorrectly Applying for Other Interfaces
  Using the Same IP. This fix is not for 1.22.0.
- Fix #1163: Typos in unbound.conf documentation.
- Merge #1159: Stats for discard-timeout and wait-limit.
- Add test case for #1159.
- Some clean up for stat_values.test.
- Merge #1170 from Melroy van den Berg, Fix chroot manpage
  description.
- Merge #1157 from Liang Zhu, Fix heap corruption when calling
  ub_ctx_delete in Windows.
- Fix redis that during a reload it does not fail if the redis
  server does not connect or does not respond. It still logs the
  errors and if the server is up checks expiration features.
- Merge #1167: Makefile.in: fix occasional parallel build failures
  around bison rule.
- Fix SETEX check during Redis (re)initialization.
- Fix for the serve expired DNSSEC information fix, it would not allow
  current delegation information be updated in cache. The fix allows
  current delegation and validation recursion information to be
  updated, but as a consequence no longer has certain expired
  information around for later dnssec valid expired responses.
- Fix to log redis timeout error string on failure.
- More descriptive text for 'harden-algo-downgrade'.
- Complete fix for max-global-quota to 200.
- Fix #1183: the data being used is released in method
  nsec3_hash_test_entry.
- Fix for #1183: release nsec3 hashes per test file.
- Merge #1169 from Sergey Kacheev, fix: lock-free counters for
  auth_zone up/down queries.
- Fix comparison to help static analyzer.
- For #1175, update serve-expired tests.
- Merge #1189: Fix the dname_str method to cause conversion errors
  when the domain name length is 255.
- Merge #1197: dname_str() fixes.
- Merge #1198: Fix log-servfail with serve expired and no useful cache
  contents.
- Safeguard alias loop while looking in the cache for expired answers.
- Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
  drop.
- Fix typo in log_servfail.tdir test.
- Merge #1204: ci: set persist-credentials: false for actions/checkout
  per zizmor suggestion.
- Merge #1174: Serve expired cache update fixes. Fixes a regression bug
  with serve-expired that appeared in 1.22.0 and would not allow the
  iterator to update the cache with not-yet-validated entries resulting
  in increased outgoing traffic.
- Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
  handshake.
- Fix #1213: Misleading error message on default access control causing
  refuse.
- Merge #1221: Consider auth zones when checking for forwarders.
- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
  ALPN.
- Create the quic SSL listening context only when needed.
- Fix compile of interface check code when dnscrypt or quic is
  disabled.
- Fix encoding of RR type ATMA.
- Fix to check length in ATMA string to wire.
- Merge #1229: check before use daemon->shm_info.
- Use the same interface listening port discovery code for all needed
  protocols.
- Port to string only when needed before getaddrinfo().
- Do not open unencrypted channels next to encrypted ones on the same
  port.
- Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
  set.
- Merge #1220 from Petr Menšík, Add unbound members group access to
  control key.
- Make the default value of module-config "validator iterator"
  regardless of compilation options. --enable-subnet would implicitly
  change the value to enable the subnetcache module by default in the
  past.
- Fix #986: Resolving sas.com with dnssec-validation fails though
  signed delegations seem to be (mostly) correct.
- Consider reconfigurations when calculating the still_useful_timeout
  for servers in the infrastructure cache.
- Fix static analysis report about unhandled EOF on error conditions
  when reading anchor key files.
- Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
  values.
- Fix hash calculation for cachedb to ignore case. Previously, cached
  records there were only relevant for same case queries (if not
  already in Unbound's internal cache).
- Merge #1243: Do not shadow tm on line 236.
- Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
  Add --help output description for the SOURCE_DATE_EPOCH variable.
- Fix 'unbound-control flush_negative' when reporting removed data;
  reported by David 'eqvinox' Lamparter.
- Fix representation of types GPOS and RESINFO, add rdf type for
  unquoted str.
- Fix #1251: WSAPoll first argument cannot be NULL.
- Fix for windows compile create ssl contexts.
- Fix print of RR type NSAP-PTR, it is an unquoted string.
- Fix #1253: Cache entries fail to be removed from Redis cachedb
  backend with unbound-control flush* +c.
- Fix for #1253: Fix for redis cachedb backend to expect an integer
  reply for the EXPIRE command.
- Fix #1254: `send failed: Socket is not connected` and
  `remote address is 0.0.0.0 port 53`.
- Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
- For #1255, for ios use an older expat version that does not require
  C++11 language features.
- For #1255, for ios disable building tests that require C++11.
- For #1255, for ios try the latest expat version again.
- Fix unit test dname log printout typecast.
- Fix for ci test, expat is installed on the osx image.
- iana portlist update.
- Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
- Fix escape more characters when printing an RR type with an unquoted
  string.
- Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
- Fix unbound-control test so it counts the new flush_negative output,
  also answers the _ta probe from testns and prints command output
  and skip a thread specific test when no threads are available.
- Fix that ub_event has the facility to deal with callbacks for
  fast reload, doq, windows-stop and dnstap.
- Fix fast reload test to check if pid exists before acting on it.
- Merge #1262 from markyang92, fix build with
  'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
- For #1262, ifdef is no longer needed.
- Fix #1263: Exempt loopback addresses from wait-limit.
- Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
  to allow two arguments.
- Fix ub_event and include dnstap and win_svc headers.
- Fix test for stat_values for wait limit defaults for localhost.
- Fix parameter unused warning in net_help.c.
- Fix mesh_copy_client_info to omit null contents from copy.
- Fix comment name in the rpz nsdname test.
- Fix nettle compile for warnings and ticket keys.
- Fix redis_replica test for unused option defaults and log printout.
- Fix test to speed up common.sh script kill_pid.
- Fix to update common.sh for speed of kill_pid.
- Update to the manpage for the fast_reload part.
- Fix fast_reload to print chroot with config file name.
- Fix to detect if atomic_store links in configure.
- Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
- Fix for print of connection type in log-replies for dot and doh.
- Merge #1265: Fix WSAPoll.

prpl/stable-1.22.y_v0.1.0

release-1.23.0rc2

Tag for Unbound 1.23.0rc2.

release-1.23.0rc1

Tag for Unbound 1.23.0rc1.

gen_1.22.0_v0.1.1

gen_1.22.0_v0.1.0

gen_1.18.0_v0.1.7

gen_1.18.0_v0.1.6

gen_1.18.0_v0.1.5

gen_1.18.0_v0.1.4

release-1.22.0

Unbound 1.22.0

This release has an option to harden against unverified glue, it
is enabled with `harden-unverified-glue: yes`. It was contributed
by Karthik Umashankar from Microsoft. This protects Unbound against
bad glue, that is out of zone, by performing a lookup for it.
Because it uses the original information as a last resort if nothing
works, it should not give lookup failures, and add protection.

There are options to configure the scrubbing for NS records and
the CNAME scrubbing and the max global quota lookup limit from
previous security fix releases. They can be configured with the
options `iter-scrub-ns`, `iter-scrub-cname` and `max-global-quota`.

For redis use, with cachedb, it is possible to specify the
timeout for the initial connection separately from the timeout
for commands. With the options `redis-command-timeout: 20` and
`redis-connect-timeout: 200` they can be set separately, for
a longer connect attempt, but a short command timeout to keep
resolution faster.

It is possible to log with ISO8601 format with `log-time-iso: yes`
this also logs time in milliseconds. Useful if the server writes to
file, syslog may have its own format.

DNS over QUIC is support is added, if compiled with libngtcp2 and
with the openssl+quic that it uses. Use `--with-libngtcp2` for that,
and enable it with `quic-port: 853`. There is a post about it
on https://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is to
appear after the release].

Features
- Add iter-scrub-ns, iter-scrub-cname and max-global-quota
  configuration options.
- Merge patch to fix for glue that is outside of zone, with
  `harden-unverified-glue`, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
- Add redis-command-timeout: 20 and redis-connect-timeout: 200,
  that can set the timeout separately for commands and the
  connection set up to the redis server. If they are not
  specified, the redis-timeout value is used.
- Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
  This adds the option `log-time-iso: yes` that logs in ISO8601
  format.
- Merge #871: DNS over QUIC. This adds `quic-port: 853` and
  `quic-size: 8m` that enable dnsoverquic, and the counters
  `num.query.quic` and `mem.quic` in the statistics output.
  The feature needs to be enabled by compiling with libngtcp2,
  with `--with-libngtcp2=path` and libngtcp2 needs openssl+quic,
  pass that with `--with-ssl=path` to compile unbound as well.

Bug Fixes
- Fix #1126: unbound-control-setup hangs while testing for openssl
  presence starting from version 1.21.0.
- Add cross platform freebsd, openbsd and netbsd to github ci.
- Fix for char signedness warnings on NetBSD.
- Fix #1127: error: "memory exhausted" when defining more than 9994
  local-zones.
- Fix documentation for cache_fill_missing function.
- Fix #1130: Loads of logs: "validation failure: key for validation
  <domain>. is marked as invalid because of a previous" for
  non-DNSSEC signed zone.
- Fix that when rpz is applied the message does not get picked up by
  the validator. That stops validation failures for the message.
- Fix that stub-zone and forward-zone clauses do not exhaust memory
  for long content.
- Unit test for auth zone transfer TLS, and TLS failure.
- Fix to print port number in logs for auth zone transfer activities.
- Merge #1132: b.root renumbering.
- Fix for #1132, adjusted unit test for change in the test file.
- Fix for #1132, comment about adjusted copy of reference check.
- Merge #1135: Add new IANA trust anchor.
- Fix config file read for dnstap-sample-rate.
- Fix alloc-size and calloc-transposed-args compiler warnings.
- Fix comment to not trigger doxygen unknown command.
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
  enabled (RFC9077).
- Add unit test for ttl limit for aggressive nsec.
- Fix and add comments in testdata/val_negcache_ttl.rpl.
- Merge #1140: Fix spelling mistake in comments.
- Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
  CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
  already disabled.
- Fix dns64 with prefetch that the prefetch is stored in cache.
- Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
- More clear text for prefetch and minimal-responses in the
  unbound.conf man page.
- Merge #1143: Fix cache update when serve expired is used. Expired
  records are favored over resolution and validation failures when
  serve-expired is used.
- Fix negative cache NSEC3 parameter compares for zero length NSEC3
  salt.
- Fix unbound dnstap socket test program analyzer warnings about
  unused variable assignments and variable initialization.
- Fix #1149: unbound-control-setup hangs sometimes depending on
  the openssl version.
- Fix #1128: Cannot override tcp-upstream and tls-upstream with
  forward-tcp-upstream and forward-tls-upstream.
- Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
  prefetch ttl for messages after a CNAME with short TTL.
- Fix for dnstap compile of doqclient with doq disabled.
- Fix cookie_file test sporadic fails for time change during
  the test.
- Fix add reallocarray to alloc stats unit test, and disable
  override of strdup in unbound-host, and the result of config
  get option is freed properly.
- Fix to disable detection of quic configured ports when quic is
  not compiled in.
- Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
- Fix contrib/aaaa-filter-iterator.patch for change in call
  signature for cache_fill_missing.
- Fix to display warning if quic-port is set but dnsoverquic is not
  enabled when compiled.
- Fix dnsoverquic to extend the number of streams when one is closed.
- Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
- Fix for dnsoverquic and dnstap to use the correct dnstap
  environment.

release-1.22.0rc1

Tag for Unbound 1.22.0rc1.

release-1.21.1

Unbound 1.21.1

This security release fixes CVE-2024-8508.

A vulnerability has been discovered in Unbound when handling replies
with very large RRsets that Unbound needs to perform name compression
for.

Malicious upstreams responses with very large RRsets can cause Unbound
to spend a considerable time applying name compression to downstream
replies. This can lead to degraded performance and eventually denial of
service in well orchestrated attacks.

The vulnerability can be exploited by a malicious actor querying Unbound
for the specially crafted contents of a malicious zone with very large
RRsets.
Before Unbound replies to the query it will try to apply name
compression which was an unbounded operation that could lock the CPU
until the whole packet was complete.

Unbound version 1.21.1 introduces a hard limit on the number of name
compression calculations it is willing to do per packet.
Packets that need more compression will result in semi-compressed
packets or truncated packets, even on TCP for huge messages, to avoid
locking the CPU for long.

This change should not affect normal DNS traffic.

We would like to thank Toshifumi Sakaguchi for discovering and
responsibly disclosing the vulnerability.

Bug Fixes:
- Fix CVE-2024-8508, unbounded name compression could lead to denial of
  service.