Unbound 1.22.0

Unbound 1.22.0

This release has an option to harden against unverified glue, it
is enabled with harden-unverified-glue: yes. It was contributed
by Karthik Umashankar from Microsoft. This protects Unbound against
bad glue, that is out of zone, by performing a lookup for it.
Because it uses the original information as a last resort if nothing
works, it should not give lookup failures, and add protection.

There are options to configure the scrubbing for NS records and
the CNAME scrubbing and the max global quota lookup limit from
previous security fix releases. They can be configured with the
options iter-scrub-ns, iter-scrub-cname and max-global-quota.

For redis use, with cachedb, it is possible to specify the
timeout for the initial connection separately from the timeout
for commands. With the options redis-command-timeout: 20 and
redis-connect-timeout: 200 they can be set separately, for
a longer connect attempt, but a short command timeout to keep
resolution faster.

It is possible to log with ISO8601 format with log-time-iso: yes
this also logs time in milliseconds. Useful if the server writes to
file, syslog may have its own format.

DNS over QUIC is support is added, if compiled with libngtcp2 and
with the openssl+quic that it uses. Use --with-libngtcp2 for that,
and enable it with quic-port: 853. There is a post about it
on https://blog.nlnetlabs.nl/dns-over-quic-in-unbound [that is to
appear after the release].

Features

• Add iter-scrub-ns, iter-scrub-cname and max-global-quota
  configuration options.
• Merge patch to fix for glue that is outside of zone, with
  harden-unverified-glue, from Karthik Umashankar (Microsoft).
  Enabling this option protects the Unbound resolver against bad
  glue, that is unverified out of zone glue, by resolving them.
  It uses the records as last resort if there is no other working
  glue.
• Add redis-command-timeout: 20 and redis-connect-timeout: 200,
  that can set the timeout separately for commands and the
  connection set up to the redis server. If they are not
  specified, the redis-timeout value is used.
• Fix #1144: [FR] log timestamps in ISO8601 format with timezone.
  This adds the option log-time-iso: yes that logs in ISO8601
  format.
• Merge #871: DNS over QUIC. This adds quic-port: 853 and
  quic-size: 8m that enable dnsoverquic, and the counters
  num.query.quic and mem.quic in the statistics output.
  The feature needs to be enabled by compiling with libngtcp2,
  with --with-libngtcp2=path and libngtcp2 needs openssl+quic,
  pass that with --with-ssl=path to compile unbound as well.

Bug Fixes

• Fix #1126: unbound-control-setup hangs while testing for openssl
  presence starting from version 1.21.0.
• Add cross platform freebsd, openbsd and netbsd to github ci.
• Fix for char signedness warnings on NetBSD.
• Fix #1127: error: "memory exhausted" when defining more than 9994
  local-zones.
• Fix documentation for cache_fill_missing function.
• Fix #1130: Loads of logs: "validation failure: key for validation
  . is marked as invalid because of a previous" for
  non-DNSSEC signed zone.
• Fix that when rpz is applied the message does not get picked up by
  the validator. That stops validation failures for the message.
• Fix that stub-zone and forward-zone clauses do not exhaust memory
  for long content.
• Unit test for auth zone transfer TLS, and TLS failure.
• Fix to print port number in logs for auth zone transfer activities.
• Merge #1132: b.root renumbering.
• Fix for #1132, adjusted unit test for change in the test file.
• Fix for #1132, comment about adjusted copy of reference check.
• Merge #1135: Add new IANA trust anchor.
• Fix config file read for dnstap-sample-rate.
• Fix alloc-size and calloc-transposed-args compiler warnings.
• Fix comment to not trigger doxygen unknown command.
• Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
  enabled (RFC9077).
• Add unit test for ttl limit for aggressive nsec.
• Fix and add comments in testdata/val_negcache_ttl.rpl.
• Merge #1140: Fix spelling mistake in comments.
• Fix doxygen warnings by commenting out CLANG_ASSISTED_PARSING,
  CLANG_ADD_INC_PATHS, CLANG_OPTIONS and CLANG_DATABASE_PATH; they were
  already disabled.
• Fix dns64 with prefetch that the prefetch is stored in cache.
• Attempt to further fix doh_downstream_buffer_size.tdir flakiness.
• More clear text for prefetch and minimal-responses in the
  unbound.conf man page.
• Merge #1143: Fix cache update when serve expired is used. Expired
  records are favored over resolution and validation failures when
  serve-expired is used.
• Fix negative cache NSEC3 parameter compares for zero length NSEC3
  salt.
• Fix unbound dnstap socket test program analyzer warnings about
  unused variable assignments and variable initialization.
• Fix #1149: unbound-control-setup hangs sometimes depending on
  the openssl version.
• Fix #1128: Cannot override tcp-upstream and tls-upstream with
  forward-tcp-upstream and forward-tls-upstream.
• Fix to limit NSEC TTL for messages from cachedb. Fix to limit the
  prefetch ttl for messages after a CNAME with short TTL.
• Fix for dnstap compile of doqclient with doq disabled.
• Fix cookie_file test sporadic fails for time change during
  the test.
• Fix add reallocarray to alloc stats unit test, and disable
  override of strdup in unbound-host, and the result of config
  get option is freed properly.
• Fix to disable detection of quic configured ports when quic is
  not compiled in.
• Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
• Fix contrib/aaaa-filter-iterator.patch for change in call
  signature for cache_fill_missing.
• Fix to display warning if quic-port is set but dnsoverquic is not
  enabled when compiled.
• Fix dnsoverquic to extend the number of streams when one is closed.
• Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
• Fix for dnsoverquic and dnstap to use the correct dnstap
  environment.

Unbound 1.21.1

This security release fixes CVE-2024-8508.

A vulnerability has been discovered in Unbound when handling replies
with very large RRsets that Unbound needs to perform name compression
for.

Malicious upstreams responses with very large RRsets can cause Unbound
to spend a considerable time applying name compression to downstream
replies. This can lead to degraded performance and eventually denial of
service in well orchestrated attacks.

The vulnerability can be exploited by a malicious actor querying Unbound
for the specially crafted contents of a malicious zone with very large
RRsets.
Before Unbound replies to the query it will try to apply name
compression which was an unbounded operation that could lock the CPU
until the whole packet was complete.

Unbound version 1.21.1 introduces a hard limit on the number of name
compression calculations it is willing to do per packet.
Packets that need more compression will result in semi-compressed
packets or truncated packets, even on TCP for huge messages, to avoid
locking the CPU for long.

This change should not affect normal DNS traffic.

We would like to thank Toshifumi Sakaguchi for discovering and
responsibly disclosing the vulnerability.

Bug Fixes:

• Fix CVE-2024-8508, unbounded name compression could lead to denial of
  service.

Unbound 1.21.0

Unbound 1.21.0

This release has a fix for the CAMP and CacheFlush issues. They have a
low severity for Unbound, since it does not affect Unbound so much.

The Compositional Amplification (CAMP) type of attacks can lead to DoS
attacks against DNS servers. In Unbound legitimate client requests to
the resolvers under typical workload are not directly affected by CAMP
attacks. However we introduce a global quota for 128 outgoing packets
per query (and it's subqueries) that is never reset to prevent the
combination of CAMP with other amplification attacks in the future. We
would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin
Tanir from NetSec group, ETH Zurich for discovering and notifying us
about the issue.

The CacheFlush type of attacks (NSCacheFlush, CNAMECacheFlush) try to
evict cached data by utilizing rogue zones and a steady rogue stream to
a resolver. Based on the zone, the stream, the configured cache size
and the legitimate traffic, Unbound could experience a degradation of
service if a useful entry is evicted and Unbound needs to resolve again.
As a mitigation to the NSCacheFlush attack Unbound is setting a limit
of 20 RRs in an NS RRset. We would like to thank Yehuda Afek, Anat
Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv University and
Reichman University) for discovering and notifying us about the issue.

Other fixes in this release are bug fixes. Also the unbound control
commands that flush the cache can clear both the memory and cachedb
module cache. The ipset module can use BSD pf tables. The new option
dnstap-sample-rate: 100 can be used to log 1/N messages, for use in
high volume server environments where the log server does not keep up.

The new DNSSEC key for the root, 38696 from 2024 has been added. It is
added to the default root keys in unbound-anchor. The content can be
inspected with unbound-anchor -l. Older versions of Unbound can keep
up with the root key with auto-trust-anchor-file that has RFC5011
key rollover. Also unbound-anchor can fetch the keys from the website
with a certificate if needed.

For cookie secrets, it is possible to perform rollover. The file
with cookie secret in use and the staging secret is configured
with cookie-secret-file. With the remote control the rollover can be
performed, add_cookie_secret, activate_cookie_secret, drop_cookie_secret
and print_cookie_secrets can be used for that.

Compared to the RC1, the release has a fix for module loading on Windows,
and a spelling correction.

Features

• Fix #1071: [FR] Clear both in-memory and cachedb module cache with
  unbound-control flush* commands.
• Fix #144: Port ipset to BSD pf tables.
• Add dnstap-sample-rate that logs only 1/N messages, for high volume
  server environments. Thanks Dan Luther.
• Add root key 38696 from 2024 for DNSSEC validation. It is added
  to the default root keys in unbound-anchor. The content can be
  inspected with unbound-anchor -l.
• Merge #1090: Cookie secret file. Adds
  cookie-secret-file: "unbound_cookiesecrets.txt" option to store
  cookie secrets for EDNS COOKIE secret rollover. The remote control
  add_cookie_secret, activate_cookie_secret and drop_cookie_secret
  commands can be used for rollover, the command print_cookie_secrets
  shows the values in use.

Bug Fixes

• Fix CAMP issues with global quota. Thanks to Huayi Duan, Marco
  Bearzi, Jodok Vieli, and Cagin Tanir from NetSec group, ETH Zurich.
• Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda Afek,
  Anat Bremler-Barr, Shoham Danino and Yuval Shavitt (Tel-Aviv
  University and Reichman University).
• Merge #1062: Fix potential overflow bug while parsing port in
  function cfg_mark_ports.
• Fix for #1062: declaration before statement, avoid print of null,
  and redundant check for array size.
• Fix to squelch udp connect errors in the log at low verbosity about
  invalid argument for IPv6 link local addresses.
• Fix when the mesh jostle is exceeded that nameserver targets are
  marked as resolved, so that the lookup is not stuck on the
  requestlist.
• Add missing common functions to tdir tests.
• Merge #1070: Fix rtt assignement for low values of
  infra-cache-max-rtt.
• Merge #1069: Fix unbound-control stdin commands for multi-process
  Unbounds.
• Fix unbound-control commands that read stdin in multi-process
  operation (local_zones_remove, local_zones, local_datas_remove,
  local_datas, view_local_datas_remove, view_local_datas). They will
  be properly distributed to all processes. dump_cache and load_cache
  are no longer supported in multi-process operation.
• Remove testdata/remote-threaded.tdir. testdata/09-unbound-control.tdir
  now checks both single and multi process/thread operation.
• Merge #1073: fix null pointer dereference issue in function
  ub_ctx_set_fwd.
• Fix to print a parse error when config is read with no name for
  a forward-zone, stub-zone or view.
• Fix for parse end of forward-zone, stub-zone and view.
• Fix for #1064: Fix that cachedb expired messages are considered
  insecure, and thus can be served to clients when dnssec is enabled.
• Fix #1059: Intermittent DNS blocking failure with local-zone and
  always_nxdomain. Addition of local_zones dynamically via
  unbound-control was not finding the zone's parent correctly.
• Fix #1064: Unbound 1.20 Cachedb broken?
• Fix unused variable warning on compilation with no thread support.
• unbound-control-setup: check openssl availability before doing
  anything, patch from Michael Tokarev.
• Update patch to remove 'command' shell builtin and update error
  text.
• Fix to enable that SERVFAIL is cached, for a short period, for more
  cases. In the cases where limits are exceeded.
• Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
• Merge #1078: Only check old pid if no username.
• Fix #1079: tags from tagged rpz zones are no longer honored after
  upgrade from 1.19.3 to 1.20.0.
• Fix for #1079: fix RPZ taglist in iterator callback that no client
  info is like no taglist intersection.
• Fix to squelch connection reset by peer errors from log. And fix
  that the tcp read errors are labeled as initial for the first calls.
• Merge #1080: AddressSanitizer detection in tdir tests and memory leak
  fixes.
• Fix memory leak when reload_keep_cache is used and num-threads
  changes.
• Fix memory leak on exit for unbound-dnstap-socket; creates false
  negatives during testing.
• Fix memory leak in setup of dsa sig.
• Fix typos for 'the the' in text.
• Fix validation for repeated use of a DNAME record.
• Add unit test for validation of repeated use of a DNAME record.
• Fix #1091: Build fails with OpenSSL >= 3.0 built with
  OPENSSL_NO_DEPRECATED.
• Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0; by
  adding helpful text for the Python interpreter version and allowing
  the default pkg-config unavailability error message to be shown.
• Fix pkg-config availability check in dnstap/dnstap.m4 and
  systemd.m4.
• Explicitly set the RD bit for the mesh query flags when prefetching.
  These queries have no waiting client but they need to be treated as
  recursive.
• Fix ip-ratelimit-cookie setting, it was not applied.
• Fix to remove unused include from the readzone test program.
• Fix unused variable warning in do_cache_remove.
• Fix compile warning in worker pthread id printout.
• Add unit test skip files and bison and flex output to gitignore.
• Fix to use modstack_init in zonemd unit test.
• Fix to remove unneeded linebreak in fptr_wlist.c.
• Fix compile warnings in fptr_wlist.c.
• Fix for repeated use of a DNAME record: first overallocate and then
  move the exact size of the init value to avoid false positive heap
  overflow reads from address sanitizers.
• Fix to print details about the failure to lookup a DNSKEY record
  when validation fails due to the missing DNSKEY. Also for key prime
  and DS lookups.
• Fix for neater printout for error for missing DS response.
• Fix neater printout.
• Fix #1099: Unbound core dump on SIGSEGV.
• Fix for #1099: Fix to check for deleted RRset when the contents
  is updated and fetched after it is stored, and also check for a
  changed RRset.
• Don't check for message TTL changes if the RRsets remain the same.
• Fix that validation reason failure that uses string print uses
  separate buffer that is passed, from the scratch validation buffer.
• Fixup algo_needs_reason string buffer length.
• Fix shadowed error string variable in validator dnskey handling.
• Update list of known EDE codes.
• For #773: In contrib/unbound.service.in set unbound to start after
  network-online.target. Also for contrib/unbound_portable.service.in.
• Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
• For #1103: fix to also drop mesh state reference when a h2 reply is
  dropped.
• Add RPZ tag tests in acl_interface.tdir.
• For #1102: clearer text for using interface-* options for the
  loopback interface.
• For #1103: fix to also drop mesh state reference when the discard
  limit is reached, when there is an error making a new recursion
  state and when the connection is dropped with is_drop.
• For #1103: Fix to drop mesh state reference for the http2 stream
  associated with the reply, not the currently active stream. And
  it does not remove it twice on a mesh_send_reply call. The reply
  h2_stream is NULL when not in use, for more initialisation.
• Fix dnstap wakeup, a running wakeup timer is left to expire and not
  increased, a timer is started when the dtio thread is sleeping,
  the timer set disabled when the dtio thread goes to sleep, and
  after sleep the thread checks to see if there are messages to log
  immediately.
• Merge #1110: Make fallthrough explicit for libworker.c.
• For #1110: Test for fallthrough attribute in configure and add
  fallthrough attribute an...

Unbound 1.20.0

Unbound 1.20.0

This release has a fix for the DNSBomb issue CVE-2024-33655. This has a
low severity for Unbound, since it makes Unbound complicit in targeting
others, but does not affect Unbound so much.

To mitigate the issue new configuration options are introduced.
The options discard-timeout: 1900, wait-limit: 1000
and wait-limit-cookie: 10000 are enabled by default. They limit the
number of outstanding queries that a querier can have. This limits
the reply pulse, and make Unbound less favorable for the issue.
With the config wait-limit-netblock and wait-limit-cookie-netblock
the parameters can be fine tuned for specific destinations.
More information on the attack and Unbound's mitigations are
presented further down.

Other fixes in this release are that Unbound no longer follows symlinks
when truncating the pidfile. Unbound also does not chown the pidfile,
this is for safety reasons. There are also a number of fixes for RPZ, in
handling CNAMEs. There is a memory leak fix for the edns client subnet
cache. For DNSSEC validation a case is fixed when the query is of type
DNAME. The unbound-anchor program is fixed to first write to a temporary
file, before replacing the original. This handles disk full situations,
and because of it unbound-anchor needs permission to create that file,
in the same directory as the original file. There is also a fix for
IP_DONTFRAG, to disable fragmentation instead of the opposite.

The option cache-min-negative-ttl can be used to set the minimum TTL
for negative responses in the cache. It complements existing options to
set the maximum ttl for negative responses and to set the minimum and
maximum ttl but not specifically for negative responses.

The option cachedb-check-when-serve-expired option makes Unbound use
cachedb to check for expired responses, when serve-expired is enabled,
and cachedb is used. It is enabled by default.

The -q option for unbound-checkconf can be added to silence it when
there are no errors.

The DNSBomb vulnerability CVE-2024-33655.

== Summary
The DNSBomb attack, via specially timed DNS queries and answers, can
cause a Denial of Service on resolvers and spoofed targets.

Unbound itself is not vulnerable for DoS, rather it can be used to take
part in a pulsing DoS amplification attack.

Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound
is significantly lower than it used to be and making the attack, and
Unbound's participation, less tempting for attackers.

== Affected products
Unbound up to and including 1.19.3.

== Description
The DNSBomb attack works by sending low-rate spoofed queries for a
malicious zone to Unbound. By controlling the delay of the malicious
authoritative answers, Unbound slowly accumulates pending answers for
the spoofed addresses. When the authoritative answers become available
to Unbound at the same time, Unbound starts serving all the accumulated
queries. This results into large-sized, concentrated response bursts to
the spoofed addresses.

From version 1.20.0 on, Unbound introduces a couple of configuration
options to help mitigate the impact.
Their complete description can be found in the included manpages but
they are also briefly listed here together with their default values for
convenience:

• discard-timeout: 1900
  After 1900 ms a reply to the client will be dropped.
  Unbound would still work on the query but refrain from replying in
  order to not accumulate a huge number of "old" replies.
  Legitimate clients retry on timeouts.

• wait-limit: 1000
  wait-limit-cookie: 10000
  Limits the amount of client queries that require recursion
  (cache-hits are not counted) per IP address. More recursive queries
  than the allowed limit are dropped. Clients with a valid EDNS Cookie
  can have a different limit, higher by default.
  wait-limit: 0 disables all wait limits.

• wait-limit-netblock
  wait-limit-cookie-netblock
  These do not have a default value but they can fine grain
  configuration for specific netblocks. With or without EDNS Cookies.

The options above are trying to shrink the DNSBomb window so that the
impact of the DoS from Unbound is significantly lower than it used to be
and making the attack, and Unbound's participation, less tempting for
attackers.

== Acknowledgements
We would like to thank Xiang Li from the Network and Information
Security Lab of Tsinghua University for discovering and disclosing the
attack.

Features

• The config for discard-timeout, wait-limit, wait-limit-cookie,
  wait-limit-netblock and wait-limit-cookie-netblock was added, for
  the fix to the DNSBomb issue.
• Merge #1027: Introduce 'cache-min-negative-ttl' option.
• Merge #1043 from xiaoxiaoafeifei: Add loongarch support; updates
  config.guess(2024-01-01) and config.sub(2024-01-01), verified
  with upstream.
• Implement cachedb-check-when-serve-expired: yes option, default
  is enabled. When serve expired is enabled with cachedb, it first
  checks cachedb before serving the expired response.
• Fix #876: [FR] can unbound-checkconf be silenced when configuration
  is valid?

Bug Fixes

• Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
  from the Network and Information Security Lab of Tsinghua University
  for reporting it.
• Update doc/unbound.doxygen with 'doxygen -u'. Fixes option
  deprecation warnings and updates with newer defaults.
• Remove unused portion from iter_dname_ttl unit test.
• Fix validator classification of qtype DNAME for positive and
  redirection answers, and fix validator signature routine for dealing
  with the synthesized CNAME for a DNAME without previously
  encountering it and also for when the qtype is DNAME.
• Fix qname minimisation for reply with a DNAME for qtype CNAME that
  answers it.
• Fix doc test so it ignores but outputs unsupported doxygen options.
• Fix #1021 Inconsistent Behavior with Changing rpz-cname-override
  and doing a unbound-control reload.
• Merge #1028: Clearer documentation for tcp-idle-timeout and
  edns-tcp-keepalive-timeout.
• Fix #1029: rpz trigger clientip and action rpz-passthru not working
  as expected.
• Fix rpz that the rpz override is taken in case of clientip triggers.
  Fix that the clientip passthru action is logged. Fix that the
  clientip localdata action is logged. Fix rpz override action cname
  for the clientip trigger.
• Fix to unify codepath for local alias for rpz cname action override.
• Fix rpz for cname override action after nsdname and nsip triggers.
• Fix that addrinfo is not kept around but copied and freed, so that
  log-destaddr uses a copy of the information, much like NSD does.
• Merge #1030: Persist the openssl and expat directories for repeated
  Windows builds.
• Fix that rpz CNAME content is limited to the max number of cnames.
• Fix rpz, it follows iterator CNAMEs for nsip and nsdname and sets
  the reply query_info values, that is better for debug logging.
• Fix rpz that copies the cname override completely to the temp
  region, so there are no references to the rpz region.
• Add rpz unit test for nsip action override.
• Fix rpz for qtype CNAME after nameserver trigger.
• Fix rpz so that rpz CNAME can apply after rpz CNAME. And fix that
  clientip and nsip can give a CNAME.
• Fix localdata and rpz localdata to match CNAME only if no direct
  type match is available.
• Merge #831 from Pierre4012: Improve Windows NSIS installer
  script (setup.nsi).
• For #831: Format text, use exclamation icon and explicit label
  names.
• Fix name of unit test for subnet cache response.
• Fix #1032: The size of subnet_msg_cache calculation mistake cause
  memory usage increased beyond expectations.
• Fix for #1032, add safeguard to make table space positive.
• Fix comment in lruhash space function.
• Fix to add unit test for lruhash space that exercises the routines.
• Fix that when the server truncates the pidfile, it does not follow
  symbolic links.
• Fix that the server does not chown the pidfile.
• Fix #1034: DoT forward-zone via unbound-control.
• Fix for crypto related failures to have a better error string.
• Fix #1035: Potential Bug while parsing port from the "stub-host"
  string; also affected forward-zones and remote-control host
  directives.
• Fix #369: dnstap showing extra responses; for client responses
  right from the cache when replying with expired data or
  prefetching.
• Fix #1040: fix heap-buffer-overflow issue in function cfg_mark_ports
  of file util/config_file.c.
• For #1040: adjust error text and disallow negative ports in other
  parts of cfg_mark_ports.
• Fix comment syntax for view function views_find_view.
• Fix #595: unbound-anchor cannot deal with full disk; it will now
  first write out to a temp file before replacing the original one,
  like Unbound already does for auto-trust-anchor-file.
• Fixup compile without cachedb.
• Add test for cachedb serve expired.
• Extended test for cachedb serve expired.
• Fix makefile dependencies for fake_event.c.
• Fix cachedb for serve-expired with serve-expired-reply-ttl.
• Fix to not reply serve expired unless enabled for cachedb.
• Fix cachedb for serve-expired with serve-expired-client-timeout.
• Fixup unit test for cachedb server expired client timeout with
  a check if response if from upstream or from cachedb.
• Fixup cachedb to not refetch when serve-expired-client-timeout is
  used.
• Merge #1049 from Petr Menšík: Py_NoSiteFlag is not needed since
  Python 3.8
• Fix #1048: Update ax_pkg_swig.m4 and ax_pthread.m4.
• Fix configure, autoconf for #1048.
• Add checklock feature verbose_locking to trace locks and unlocks.
• Fix edns subnet to sort rrset references when storing messages
  in the cache. This fixes a race condition in the rrset locks.
• Merge #1053: Remove child delegations from cache when grandchild
  delegation...

Unbound 1.19.3

Unbound 1.19.3

This release has a number of bug fixes. The CNAME synthesized for a
DNAME record uses the original TTL, of the DNAME record, and that means
it can be cached for the TTL, instead of 0.

There is a fix that when a message was stored in cache, but one of the
RRsets was not updated due to cache policy, it now restricts the message
TTL if the cache version of the RRset has a shorter TTL. It avoids a
bug where the message is not expired, but its contents is expired.

For dnstap, it logs type DoH and DoT correctly, if that is used for
the message.

The b.root-servers.net address is updated in the default root hints.

When performing retries for failed sends, a retry at a smaller UDP size
is now not performed when that attempt is not actually smaller, and at
defaults, since the flag day changes, it is the same size. This makes
it skip the step, it is useless because there is no reduction in size.

Clients with a valid DNS Cookie will bypass the ratelimit, if one is
set. The value from ip-ratelimit-cookie is used for these queries.

Furthermore there is a fix to make correct EDE Prohibited answers for
access control denials, and a fix for EDNS client subnet scope zero
answers.

Features:

• Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
  per RFC 6672.

Bug Fixes:

• Fix unit test parse of origin syntax.
• Use 127.0.0.1 explicitly in tests to avoid delays and errors on
  newer systems.
• Fix #964: config.h.in~ backup file in release tar balls.
• Merge #968: Replace the obsolescent fgrep with grep -F in tests.
• Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
• Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
• Fix dnstap that assertion failed on logging other than UDP and TCP
  traffic. It lists it as TCP traffic.
• Fix to sync the tests script file common.sh.
• iana portlist update.
• Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
• Update test script file common.sh.
• Fix tests to use new common.sh functions, wait_logfile and
  kill_from_pidfile.
• Fix #974: doc: default number of outgoing ports without libevent.
• Merge #975: Fixed some syntax errors in rpl files.
• Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
  now that the root has a valid ZONEMD.
• Update example.conf with cookie options.
• Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
  for non-HTTP/2 DoH clients.
• Merge #985: Add DoH and DoT to dnstap message.
• Fix #983: Sha1 runtime insecure change was incomplete.
• Remove unneeded newlines and improve indentation in remote control
  code.
• Merge #987: skip edns frag retry if advertised udp payload size is
  not smaller.
• Fix unit test for #987 change in udp1xxx retry packet send.
• Merge #988: Fix #981: dump_cache truncates large records.
• Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
• Fix to link with libssp for libcrypto and getaddrinfo check for
  only header. Also update crosscompile to remove ssp for 32bit.
• Merge #993: Update b.root-servers.net also in example config file.
• Update workflow for ports to use newer openssl on windows compile.
• Fix warning for windres on resource files due to redefinition.
• Fix for #997: Print details for SSL certificate failure.
• Update error printout for duplicate trust anchors to include the
  trust anchor name (relates to #920).
• Update message TTL when using cached RRSETs. It could result in
  non-expired messages with expired RRSETs (non-usable messages by
  Unbound).
• Merge #999: Search for protobuf-c with pkg-config.
• Fix #1006: Can't find protobuf-c package since #999.
• Fix documentation for access-control in the unbound.conf man page.
• Merge #1010: Mention REFUSED has the TC bit set with unmatched
  allow_cookie acl in the manpage. It also fixes the code to match the
  documentation about clients with a valid cookie that bypass the
  ratelimit regardless of the allow_cookie acl.
• Document the suspend argument for process_ds_response().
• Move github workflows to use checkoutv4.
• Fix edns subnet replies for scope zero answers to not get stored
  in the global cache, and in cachedb, when the upstream replies
  without an EDNS record.
• Fix for #1022: Fix ede prohibited in access control refused answers.
• Fix unbound-control-setup.cmd to use 3072 bits so that certificates
  are long enough for newer OpenSSL versions.
• Fix TTL of synthesized CNAME when a DNAME is used from cache.
• Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
  like unbound-control-setup.sh has.

Unbound 1.19.2

Unbound 1.19.2

This security release fixes CVE-2024-1931.

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1
contain a vulnerability that can cause denial of service by a certain
code path that can lead to an infinite loop.

Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes.
Due to an unchecked condition, the code that trims the text of the EDE
records could loop indefinitely.
This happens when Unbound would reply with attached EDE information on a
positive reply and the client's buffer size is smaller than the needed
space to include EDE records.

The vulnerability can only be triggered when the 'ede: yes' option is
used; non default configuration.

From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for
notifying us about the issue and working with us to identify the
vulnerability.

Bug Fixes:

• Fix CVE-2024-1931, Denial of service when trimming EDE text on
  positive replies.

Unbound 1.19.1

Unbound 1.19.1

This security release fixes two DNSSEC validation vulnerabilities:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).

The KeyTrap vulnerability works by using a combination of Keys (also
colliding Keys), Signatures and number of RRSETs on a malicious zone.
Answers from that zone can force a DNSSEC validator down a very CPU
intensive and time costly validation path.

The NSEC3 vulnerability uses specially crafted responses on a malicious
zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very
CPU intensive and time costly NSEC3 hash calculation path.

Both can force Unbound to spend an enormous time (comparative to regular
traffic) validating a single specially crafted DNSSEC response while
everything else is on hold for that thread. A trivially orchestrated
attack could render all threads busy with such responses leading to
denial of service.

From version 1.19.1 on, Unbound introduces suspension on DNSSEC response
validations that seem to require more attempts than Unbound is willing
to make per response validation run. Suspension means that Unbound
will continue with other work before resuming a suspended validation
offering CPU time between validation resumptions to other tasks. There is
a backoff timer when suspending which is further influenced by the number
of suspends already used and the amount of work currently in Unbound.

The introduced builtin limits in Unbound are:

• Max 4 DNSSEC key collissions are allowed when building chain of trust.
  More than that without a secure key treats the delegation as bogus.
• 8 validation attempts per RRSET (combination of keys + signatures).
  If more are needed and Unbound has yet to find a valid signature
  the RRSET is treated as bogus.
• More than 8 validation attempts per answer will suspend validation.
• 8 NSEC3 hash calculations are allowed before suspension. More than
  that will suspend validation.
• The limit of total suspensions is 16 after which the query will error
  out. Any completed RRSET validations populate the cache for use in
  future queries.

While under attack Unbound could show higher CPU load because of the
needed validations but the suspend strategy would guarantee the CPU is
not locked on any particular validation task.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and
Michael Waidner from the German National Research Center for Applied
Cybersecurity ATHENE for discovering and responsibly disclosing the
KeyTrap vulnerability.

We would like to thank Petr Špaček from ISC for discovering and
responsibly disclosing the NSEC3 vulnerability.

Bug Fixes

• Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
  exhaust CPU resources and stall DNS resolvers.
• Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

Unbound 1.19.0

Unbound 1.19.0

This release fixes a number of bugs, and adds some smaller features.
The redis-logical-db option and cachedb-no-store option can be used
for cachedb configuration. The disable-edns-do option can be used for
working around broken network parts. For DNS64 there is fallback to
plain AAAA when no A record exists.

There is a bug fix that when the UDP interface keeps returning that
sending is not possible, unbound does not loop endlessly and waits
for the condition to go away.

Resource records of type A and AAAA that are an inappropriate length
are removed from responses. This hardens against bad content.

Features

• Fix #850: [FR] Ability to use specific database in Redis, with new
  redis-logical-db configuration option.
• Merge #944: Disable EDNS DO.
  Disable the EDNS DO flag in upstream requests. This can be helpful
  for devices that cannot handle DNSSEC information. But it should not
  be enabled otherwise, because that would stop DNSSEC validation. The
  DNSSEC validation would not work for Unbound itself, and also not
  for downstream users. Default is no. The option
  is disable-edns-do: no
• Expose the script filename in the Python module environment 'mod_env'
  instead of the config_file structure which includes the linked list
  of scripts in a multi Python module setup; fixes #79.
• Expose the configured listening and outgoing interfaces, if any, as
  a list of strings in the Python 'config_file' class instead of the
  current Swig object proxy; fixes #79.
• Mailing list patches from Daniel Gröber for DNS64 fallback to plain
  AAAA when no A record exists for synthesis, and minor DNS64 code
  refactoring for better readability.
• Merge #951: Cachedb no store. The cachedb-no-store: yes option is
  used to stop cachedb from writing messages to the backend storage.
  It reads messages when data is available from the backend. The
  default is no.

Bug Fixes

• Fix for version generation race condition that ignored changes.
• Fix #942: 1.18.0 libunbound DNS regression when built without
  OpenSSL.
• Fix for WKS call to getservbyname that creates allocation on exit
  in unit test by testing numbers first and testing from the services
  list later.
• Fix autoconf 2.69 warnings in configure.
• Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
• Merge #931: Prevent warnings from -Wmissing-prototypes.
• Fix to scrub resource records of type A and AAAA that have an
  inappropriate size. They are removed from responses.
• Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
• Fix to add EDE text when RRs have been removed due to length.
• Fix to set ede match in unit test for rr length removal.
• Fix to print EDE text in readable form in output logs.
• Fix send of udp retries when ENOBUFS is returned. It stops looping
  and also waits for the condition to go away. Reported by Florian
  Obser.
• Fix authority zone answers for obscured DNAMEs and delegations.
• Merge #936: Check for c99 with autoconf versions prior to 2.70.
• Fix to remove two c99 notations.
• Fix rpz tcp-only action with rpz triggers nsdname and nsip.
• Fix misplaced comment.
• Merge #881: Generalise the proxy protocol code.
• Fix #946: Forwarder returns servfail on upstream response noerror no
  data.
• Fix edns subnet so that queries with a source prefix of zero cause
  the recursor send no edns subnet option to the upstream.
• Fix that printout of EDNS options shows the EDNS cookie option by
  name.
• Fix infinite loop when reading multiple lines of input on a broken
  remote control socket. Addesses #947 and #948.
• Fix #949: "could not create control compt".
• Fix that cachedb does not warn when serve-expired is disabled about
  use of serve-expired-reply-ttl and serve-expired-client-timeout.
• Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
• Better fix for infinite loop when reading multiple lines of input on
  a broken remote control socket, by treating a zero byte line the
  same as transmission end. Addesses #947 and #948.
• For multi Python module setups, clean previously parsed module
  functions in main's dictionary, if any, so that only current
  module functions are registered.
• Fix #954: Inconsistent RPZ handling for A record returned along with
  CNAME.
• Fixes for the DNS64 patches.
• Update the dns64_lookup.rpl test for the DNS64 fallback patch.
• Merge #955 from buevsan: fix ipset wrong behavior.
• Update testdata/ipset.tdir test for ipset fix.
• Fix to print detailed errors when an SSL IO routine fails via
  SSL_get_error.
• Clearer configure text for missing protobuf-c development libraries.
• autoconf.
• Merge #930 from Stuart Henderson: add void to
  log_ident_revert_to_default declaration.
• Fix #941: dnscrypt doesn't work after upgrade to 1.18 with
  suggestion by dukeartem to also fix the udp_ancil with dnscrypt.
• Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
• Fix SSL compile failure for other missing definitions in
  log_crypto_err_io_code_arg.
• Fix compilation without openssl, remove unused function warning.
• Mention flex and bison in README.md when building from repository
  source.