Unbound is a validating, recursive, and caching DNS resolver.
Unbound 1.19.3
This release has a number of bug fixes. The CNAME synthesized for a DNAME record uses the original TTL, of the DNAME record, and that means it can be cached for the TTL, instead of 0.
There is a fix that when a message was stored in cache, but one of the RRsets was not updated due to cache policy, it now restricts the message TTL if the cache version of the RRset has a shorter TTL. It avoids a bug where the message is not expired, but its contents is expired.
For dnstap, it logs type DoH and DoT correctly, if that is used for the message.
The b.root-servers.net address is updated in the default root hints.
When performing retries for failed sends, a retry at a smaller UDP size is now not performed when that attempt is not actually smaller, and at defaults, since the flag day changes, it is the same size. This makes it skip the step, it is useless because there is no reduction in size.
Clients with a valid DNS Cookie will bypass the ratelimit, if one is set. The value from ip-ratelimit-cookie is used for these queries.
Furthermore there is a fix to make correct EDE Prohibited answers for access control denials, and a fix for EDNS client subnet scope zero answers.
Features:
Bug Fixes:
Unbound 1.19.2
This security release fixes CVE-2024-1931.
NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1 contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop.
Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records.
The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.
From version 1.19.2 on, the code is fixed to avoid looping indefinitely.
We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for notifying us about the issue and working with us to identify the vulnerability.
Bug Fixes:
Unbound 1.19.1
This security release fixes two DNSSEC validation vulnerabilities: CVE-2023-50387 (referred here as the KeyTrap vulnerability) and CVE-2023-50868 (referred here as the NSEC3 vulnerability).
The KeyTrap vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.
The NSEC3 vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.
Both can force Unbound to spend an enormous time (comparative to regular traffic) validating a single specially crafted DNSSEC response while everything else is on hold for that thread. A trivially orchestrated attack could render all threads busy with such responses leading to denial of service.
From version 1.19.1 on, Unbound introduces suspension on DNSSEC response validations that seem to require more attempts than Unbound is willing to make per response validation run. Suspension means that Unbound will continue with other work before resuming a suspended validation offering CPU time between validation resumptions to other tasks. There is a backoff timer when suspending which is further influenced by the number of suspends already used and the amount of work currently in Unbound.
The introduced builtin limits in Unbound are:
While under attack Unbound could show higher CPU load because of the needed validations but the suspend strategy would guarantee the CPU is not locked on any particular validation task.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner from the German National Research Center for Applied Cybersecurity ATHENE for discovering and responsibly disclosing the KeyTrap vulnerability.
We would like to thank Petr Špaček from ISC for discovering and responsibly disclosing the NSEC3 vulnerability.
Bug Fixes
Unbound 1.19.0
This release fixes a number of bugs, and adds some smaller features.
The redis-logical-db
option and cachedb-no-store
option can be used
for cachedb configuration. The disable-edns-do
option can be used for
working around broken network parts. For DNS64 there is fallback to
plain AAAA when no A record exists.
There is a bug fix that when the UDP interface keeps returning that sending is not possible, unbound does not loop endlessly and waits for the condition to go away.
Resource records of type A and AAAA that are an inappropriate length are removed from responses. This hardens against bad content.
Features
Bug Fixes