unbound

Unbound 1.19.3

This release has a number of bug fixes. The CNAME synthesized for a
DNAME record uses the original TTL, of the DNAME record, and that means
it can be cached for the TTL, instead of 0.

There is a fix that when a message was stored in cache, but one of the
RRsets was not updated due to cache policy, it now restricts the message
TTL if the cache version of the RRset has a shorter TTL. It avoids a
bug where the message is not expired, but its contents is expired.

For dnstap, it logs type DoH and DoT correctly, if that is used for
the message.

The b.root-servers.net address is updated in the default root hints.

When performing retries for failed sends, a retry at a smaller UDP size
is now not performed when that attempt is not actually smaller, and at
defaults, since the flag day changes, it is the same size. This makes
it skip the step, it is useless because there is no reduction in size.

Clients with a valid DNS Cookie will bypass the ratelimit, if one is
set. The value from ip-ratelimit-cookie is used for these queries.

Furthermore there is a fix to make correct EDE Prohibited answers for
access control denials, and a fix for EDNS client subnet scope zero
answers.

Features:

• Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
  per RFC 6672.

Bug Fixes:

• Fix unit test parse of origin syntax.
• Use 127.0.0.1 explicitly in tests to avoid delays and errors on
  newer systems.
• Fix #964: config.h.in~ backup file in release tar balls.
• Merge #968: Replace the obsolescent fgrep with grep -F in tests.
• Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
• Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
• Fix dnstap that assertion failed on logging other than UDP and TCP
  traffic. It lists it as TCP traffic.
• Fix to sync the tests script file common.sh.
• iana portlist update.
• Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
• Update test script file common.sh.
• Fix tests to use new common.sh functions, wait_logfile and
  kill_from_pidfile.
• Fix #974: doc: default number of outgoing ports without libevent.
• Merge #975: Fixed some syntax errors in rpl files.
• Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
  now that the root has a valid ZONEMD.
• Update example.conf with cookie options.
• Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
  for non-HTTP/2 DoH clients.
• Merge #985: Add DoH and DoT to dnstap message.
• Fix #983: Sha1 runtime insecure change was incomplete.
• Remove unneeded newlines and improve indentation in remote control
  code.
• Merge #987: skip edns frag retry if advertised udp payload size is
  not smaller.
• Fix unit test for #987 change in udp1xxx retry packet send.
• Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
• Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
• Fix to link with libssp for libcrypto and getaddrinfo check for
  only header. Also update crosscompile to remove ssp for 32bit.
• Merge #993: Update b.root-servers.net also in example config file.
• Update workflow for ports to use newer openssl on windows compile.
• Fix warning for windres on resource files due to redefinition.
• Fix for #997: Print details for SSL certificate failure.
• Update error printout for duplicate trust anchors to include the
  trust anchor name (relates to #920).
• Update message TTL when using cached RRSETs. It could result in
  non-expired messages with expired RRSETs (non-usable messages by
  Unbound).
• Merge #999: Search for protobuf-c with pkg-config.
• Fix #1006: Can't find protobuf-c package since #999.
• Fix documentation for access-control in the unbound.conf man page.
• Merge #1010: Mention REFUSED has the TC bit set with unmatched
  allow_cookie acl in the manpage. It also fixes the code to match the
  documentation about clients with a valid cookie that bypass the
  ratelimit regardless of the allow_cookie acl.
• Document the suspend argument for process_ds_response().
• Move github workflows to use checkoutv4.
• Fix edns subnet replies for scope zero answers to not get stored
  in the global cache, and in cachedb, when the upstream replies
  without an EDNS record.
• Fix for #1022: Fix ede prohibited in access control refused answers.
• Fix unbound-control-setup.cmd to use 3072 bits so that certificates
  are long enough for newer OpenSSL versions.
• Fix TTL of synthesized CNAME when a DNAME is used from cache.
• Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
  like unbound-control-setup.sh has.

Unbound 1.19.2

This security release fixes CVE-2024-1931.

NLnet Labs Unbound version 1.18.0 up to and including version 1.19.1
contain a vulnerability that can cause denial of service by a certain
code path that can lead to an infinite loop.

Unbound 1.18.0 introduced a feature that removes EDE records from
responses with size higher than the client's advertised buffer size.
Before removing all the EDE records however, it would try to see if
trimming the extra text fields on those records would result in an
acceptable size while still retaining the EDE codes.
Due to an unchecked condition, the code that trims the text of the EDE
records could loop indefinitely.
This happens when Unbound would reply with attached EDE information on a
positive reply and the client's buffer size is smaller than the needed
space to include EDE records.

The vulnerability can only be triggered when the 'ede: yes' option is
used; non default configuration.

From version 1.19.2 on, the code is fixed to avoid looping indefinitely.

We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for
notifying us about the issue and working with us to identify the
vulnerability.

Bug Fixes:

• Fix CVE-2024-1931, Denial of service when trimming EDE text on
  positive replies.

Unbound 1.19.1

This security release fixes two DNSSEC validation vulnerabilities:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).

The KeyTrap vulnerability works by using a combination of Keys (also
colliding Keys), Signatures and number of RRSETs on a malicious zone.
Answers from that zone can force a DNSSEC validator down a very CPU
intensive and time costly validation path.

The NSEC3 vulnerability uses specially crafted responses on a malicious
zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very
CPU intensive and time costly NSEC3 hash calculation path.

Both can force Unbound to spend an enormous time (comparative to regular
traffic) validating a single specially crafted DNSSEC response while
everything else is on hold for that thread. A trivially orchestrated
attack could render all threads busy with such responses leading to
denial of service.

From version 1.19.1 on, Unbound introduces suspension on DNSSEC response
validations that seem to require more attempts than Unbound is willing
to make per response validation run. Suspension means that Unbound
will continue with other work before resuming a suspended validation
offering CPU time between validation resumptions to other tasks. There is
a backoff timer when suspending which is further influenced by the number
of suspends already used and the amount of work currently in Unbound.

The introduced builtin limits in Unbound are:

• Max 4 DNSSEC key collissions are allowed when building chain of trust.
  More than that without a secure key treats the delegation as bogus.
• 8 validation attempts per RRSET (combination of keys + signatures).
  If more are needed and Unbound has yet to find a valid signature
  the RRSET is treated as bogus.
• More than 8 validation attempts per answer will suspend validation.
• 8 NSEC3 hash calculations are allowed before suspension. More than
  that will suspend validation.
• The limit of total suspensions is 16 after which the query will error
  out. Any completed RRSET validations populate the cache for use in
  future queries.

While under attack Unbound could show higher CPU load because of the
needed validations but the suspend strategy would guarantee the CPU is
not locked on any particular validation task.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and
Michael Waidner from the German National Research Center for Applied
Cybersecurity ATHENE for discovering and responsibly disclosing the
KeyTrap vulnerability.

We would like to thank Petr Špaček from ISC for discovering and
responsibly disclosing the NSEC3 vulnerability.

Bug Fixes

• Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
  exhaust CPU resources and stall DNS resolvers.
• Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

Unbound 1.19.0

This release fixes a number of bugs, and adds some smaller features.
The redis-logical-db option and cachedb-no-store option can be used
for cachedb configuration. The disable-edns-do option can be used for
working around broken network parts. For DNS64 there is fallback to
plain AAAA when no A record exists.

There is a bug fix that when the UDP interface keeps returning that
sending is not possible, unbound does not loop endlessly and waits
for the condition to go away.

Resource records of type A and AAAA that are an inappropriate length
are removed from responses. This hardens against bad content.

Features

• Fix #850: [FR] Ability to use specific database in Redis, with new
  redis-logical-db configuration option.
• Merge #944: Disable EDNS DO.
  Disable the EDNS DO flag in upstream requests. This can be helpful
  for devices that cannot handle DNSSEC information. But it should not
  be enabled otherwise, because that would stop DNSSEC validation. The
  DNSSEC validation would not work for Unbound itself, and also not
  for downstream users. Default is no. The option
  is disable-edns-do: no
• Expose the script filename in the Python module environment 'mod_env'
  instead of the config_file structure which includes the linked list
  of scripts in a multi Python module setup; fixes #79.
• Expose the configured listening and outgoing interfaces, if any, as
  a list of strings in the Python 'config_file' class instead of the
  current Swig object proxy; fixes #79.
• Mailing list patches from Daniel Gröber for DNS64 fallback to plain
  AAAA when no A record exists for synthesis, and minor DNS64 code
  refactoring for better readability.
• Merge #951: Cachedb no store. The cachedb-no-store: yes option is
  used to stop cachedb from writing messages to the backend storage.
  It reads messages when data is available from the backend. The
  default is no.

Bug Fixes

• Fix for version generation race condition that ignored changes.
• Fix #942: 1.18.0 libunbound DNS regression when built without
  OpenSSL.
• Fix for WKS call to getservbyname that creates allocation on exit
  in unit test by testing numbers first and testing from the services
  list later.
• Fix autoconf 2.69 warnings in configure.
• Fix #927: unbound 1.18.0 make test error. Fix make test without SHA1.
• Merge #931: Prevent warnings from -Wmissing-prototypes.
• Fix to scrub resource records of type A and AAAA that have an
  inappropriate size. They are removed from responses.
• Fix to move msgparse_rrset_remove_rr code to util/msgparse.c.
• Fix to add EDE text when RRs have been removed due to length.
• Fix to set ede match in unit test for rr length removal.
• Fix to print EDE text in readable form in output logs.
• Fix send of udp retries when ENOBUFS is returned. It stops looping
  and also waits for the condition to go away. Reported by Florian
  Obser.
• Fix authority zone answers for obscured DNAMEs and delegations.
• Merge #936: Check for c99 with autoconf versions prior to 2.70.
• Fix to remove two c99 notations.
• Fix rpz tcp-only action with rpz triggers nsdname and nsip.
• Fix misplaced comment.
• Merge #881: Generalise the proxy protocol code.
• Fix #946: Forwarder returns servfail on upstream response noerror no
  data.
• Fix edns subnet so that queries with a source prefix of zero cause
  the recursor send no edns subnet option to the upstream.
• Fix that printout of EDNS options shows the EDNS cookie option by
  name.
• Fix infinite loop when reading multiple lines of input on a broken
  remote control socket. Addesses #947 and #948.
• Fix #949: "could not create control compt".
• Fix that cachedb does not warn when serve-expired is disabled about
  use of serve-expired-reply-ttl and serve-expired-client-timeout.
• Fix for #949: Fix pythonmod/ubmodule-tst.py for Python 3.x.
• Better fix for infinite loop when reading multiple lines of input on
  a broken remote control socket, by treating a zero byte line the
  same as transmission end. Addesses #947 and #948.
• For multi Python module setups, clean previously parsed module
  functions in main's dictionary, if any, so that only current
  module functions are registered.
• Fix #954: Inconsistent RPZ handling for A record returned along with
  CNAME.
• Fixes for the DNS64 patches.
• Update the dns64_lookup.rpl test for the DNS64 fallback patch.
• Merge #955 from buevsan: fix ipset wrong behavior.
• Update testdata/ipset.tdir test for ipset fix.
• Fix to print detailed errors when an SSL IO routine fails via
  SSL_get_error.
• Clearer configure text for missing protobuf-c development libraries.
• autoconf.
• Merge #930 from Stuart Henderson: add void to
  log_ident_revert_to_default declaration.
• Fix #941: dnscrypt doesn't work after upgrade to 1.18 with
  suggestion by dukeartem to also fix the udp_ancil with dnscrypt.
• Fix SSL compile failure for definition in log_crypto_err_io_code_arg.
• Fix SSL compile failure for other missing definitions in
  log_crypto_err_io_code_arg.
• Fix compilation without openssl, remove unused function warning.
• Mention flex and bison in README.md when building from repository
  source.