head 1.1; branch 1.1.1; access ; symbols unbound-1-25-1:1.1.1.1 NLNETLABS:1.1.1; locks ; strict; comment @# @; 1.1 date 2026.05.21.16.11.47; author christos; state Exp; branches 1.1.1.1; next ; commitid KUtmCKdRNks7oHGG; 1.1.1.1 date 2026.05.21.16.11.47; author christos; state Exp; branches ; next ; commitid KUtmCKdRNks7oHGG; desc @@ 1.1 log @Initial revision @ text @; config options server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: no minimal-responses: yes ; respip is before dns64 in the module list. module-config: "respip dns64 validator iterator" dns64-prefix: 64:ff9b::0/96 response-ip: 10.20.30.42/32 always_refuse response-ip: 10.20.30.43/32 redirect response-ip-data: 10.20.30.43/32 "A 4.5.6.3" response-ip: 5.6.7.9/32 redirect response-ip-data: 5.6.7.9/32 "A 4.5.6.7" response-ip: 5.6.7.10/32 always_nxdomain response-ip: 64:ff9b::506:70B/128 redirect response-ip-data: 64:ff9b::506:70B/128 "AAAA 2001:db8::4" rpz: name: "rpz.example.com." rpz-log: yes zonefile: TEMPFILE_NAME rpz.example.com TEMPFILE_CONTENTS rpz.example.com $ORIGIN example.com. rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 ) 3600 IN NS ns1.rpz.example.com. 3600 IN NS ns2.rpz.example.com. $ORIGIN rpz.example.com. 32.44.30.20.10.rpz-ip CNAME . 32.12.7.6.5.rpz-ip CNAME . 32.13.7.6.5.rpz-ip A 4.5.6.13 32.14.7.6.5.rpz-ip CNAME alias.example.com. TEMPFILE_END stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END SCENARIO_BEGIN Test respip and dns64 lookup. ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 1000 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION . IN NS SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 1000 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END RANGE_END ; ns.example.com. RANGE_BEGIN 0 1000 ADDRESS 1.2.3.4 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION ANSWER example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www2.example.com. IN A SECTION ANSWER www2.example.com. IN A 10.20.30.42 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www3.example.com. IN A SECTION ANSWER www3.example.com. IN A 10.20.30.43 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www4.example.com. IN A SECTION ANSWER www4.example.com. IN A 10.20.30.44 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4.example.com. IN AAAA SECTION ANSWER ; NO AAAA present SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4.example.com. IN A SECTION ANSWER ip4.example.com. IN A 5.6.7.8 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-2.example.com. IN AAAA SECTION ANSWER ; NO AAAA present SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-2.example.com. IN A SECTION ANSWER ip4-2.example.com. IN A 5.6.7.9 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-3.example.com. IN AAAA SECTION ANSWER ; NO AAAA present SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-3.example.com. IN A SECTION ANSWER ip4-3.example.com. IN A 5.6.7.10 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-4.example.com. IN AAAA SECTION ANSWER ; NO AAAA present SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-4.example.com. IN A SECTION ANSWER ip4-4.example.com. IN A 5.6.7.11 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-5.example.com. IN AAAA SECTION ANSWER ; NO AAAA present SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-5.example.com. IN A SECTION ANSWER ip4-5.example.com. IN A 5.6.7.12 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-6.example.com. IN AAAA SECTION ANSWER ; NO AAAA present SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-6.example.com. IN A SECTION ANSWER ip4-6.example.com. IN A 5.6.7.13 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-7.example.com. IN AAAA SECTION ANSWER ; NO AAAA present SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ip4-7.example.com. IN A SECTION ANSWER ip4-7.example.com. IN A 5.6.7.14 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION alias.example.com. IN A SECTION ANSWER alias.example.com. IN A 4.5.6.14 ENTRY_END RANGE_END STEP 1 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www.example.com. IN A ENTRY_END ; The query is unaltered. STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 ENTRY_END STEP 20 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www2.example.com. IN A ENTRY_END ; The query is altered by respip, A query refused. STEP 30 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA REFUSED SECTION QUESTION www2.example.com. IN A SECTION ANSWER ENTRY_END STEP 40 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www3.example.com. IN A ENTRY_END ; The query is altered by respip, with redirect. STEP 50 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION www3.example.com. IN A SECTION ANSWER www3.example.com. IN A 4.5.6.3 ENTRY_END STEP 60 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION ip4.example.com. IN AAAA ENTRY_END ; synthesize from A record 5.6.7.8 with DNS64. STEP 70 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION ip4.example.com. IN AAAA SECTION ANSWER ip4.example.com. IN AAAA 64:ff9b::506:708 ENTRY_END STEP 80 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION ip4-2.example.com. IN AAAA ENTRY_END ; The dns64 subquery is altered by respip, with redirect. ; and the respip result is dns64 synthesized. STEP 90 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION ip4-2.example.com. IN AAAA SECTION ANSWER ip4-2.example.com. IN AAAA 64:ff9b::405:607 ENTRY_END STEP 100 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION ip4-3.example.com. IN AAAA ENTRY_END ; The dns64 subquery is altered by respip, with nxdomain. ; and the respip result is dns64 synthesized. STEP 110 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION ip4-3.example.com. IN AAAA SECTION ANSWER SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END STEP 120 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION ip4-4.example.com. IN AAAA ENTRY_END ; The dns64 subquery is synthesized, respip operates on the ; synthesized AAAA result, and makes a redirect. STEP 130 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION ip4-4.example.com. IN AAAA SECTION ANSWER ip4-4.example.com. IN AAAA 2001:db8::4 ENTRY_END STEP 140 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www4.example.com. IN A ENTRY_END ; The query is blocked by rpz. STEP 150 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NXDOMAIN SECTION QUESTION www4.example.com. IN A SECTION ANSWER ENTRY_END STEP 160 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION ip4-5.example.com. IN AAAA ENTRY_END ; The dns64 subquery is blocked by RPZ. STEP 170 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION ip4-5.example.com. IN AAAA SECTION ANSWER SECTION AUTHORITY example.com. IN SOA a. b. 1 2 3 4 5 ENTRY_END STEP 180 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION ip4-6.example.com. IN AAAA ENTRY_END ; The dns64 subquery is redirected by RPZ. STEP 190 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION ip4-6.example.com. IN AAAA SECTION ANSWER ip4-6.example.com. AAAA 64:ff9b::405:60d ENTRY_END STEP 200 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION ip4-7.example.com. IN AAAA ENTRY_END ; The dns64 subquery is a CNAME by RPZ. ; that CNAME resolves to an A record, dns64 synthesizes that A record. STEP 210 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION ip4-7.example.com. IN AAAA SECTION ANSWER ip4-7.example.com. CNAME alias.example.com. alias.example.com. AAAA 64:ff9b::405:60e ENTRY_END SCENARIO_END @ 1.1.1.1 log @Import unbound 1.25.1 (previous was 1.24.2) Bug Fixes Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. For changes to older versions see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1 @ text @@