head     1.1;
branch   1.1.1;
access   ;
symbols  unbound-1-25-1:1.1.1.1 NLNETLABS:1.1.1;
locks    ; strict;
comment  @# @;


1.1
date     2026.05.21.16.11.47;  author christos;  state Exp;
branches 1.1.1.1;
next     ;
commitid        KUtmCKdRNks7oHGG;

1.1.1.1
date     2026.05.21.16.11.47;  author christos;  state Exp;
branches ;
next     ;
commitid        KUtmCKdRNks7oHGG;


desc
@@



1.1
log
@Initial revision
@
text
@; Check if an SERVFAIL answer is not stored in the global cache, and
; does not block ECS queries to reach the ECS cache.

server:
	trust-anchor-signaling: no
	target-fetch-policy: "0 0 0 0 0"
	;send-client-subnet: 1.2.3.4
	client-subnet-zone: "example.com"
	max-client-subnet-ipv4: 21
	module-config: "subnetcache iterator"
	verbosity: 3
	access-control: 127.0.0.1 allow_snoop
	qname-minimisation: no
	minimal-responses: yes
	prefetch: yes
	outbound-msg-retry: 3
	ede: yes
	log-servfail: yes

stub-zone:
	name: "example.com."
	stub-addr: 1.2.3.4
CONFIG_END

SCENARIO_BEGIN Test that SERVFAIL after timeout does not block clients to reach the ECS cache
; And that withing the servfail time a couple of seconds have cached servfail
; for the subnet queries for that name.

; ns.example.com.
RANGE_BEGIN 1 20
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com.    IN NS   ns.example.com.
SECTION ADDITIONAL
ns.example.com.         IN      A       1.2.3.4
ENTRY_END

; response to query of interest
ENTRY_BEGIN
MATCH opcode qtype qname ednsdata
ADJUST copy_id copy_ednsdata_assume_clientsubnet
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 10 IN A	10.20.30.40
SECTION AUTHORITY
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
			; client is 127.0.0.1
	00 08 		; OPC
	00 05 		; option length
	00 01 		; Family
	08 00 		; source mask, scopemask
	7f		; address
HEX_EDNSDATA_END
ENTRY_END
RANGE_END

; ns.example.com.
RANGE_BEGIN 100 120
ADDRESS 1.2.3.4

; response to query of interest
ENTRY_BEGIN
MATCH opcode qtype qname ednsdata
ADJUST copy_id copy_ednsdata_assume_clientsubnet
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. 10 IN A	10.20.30.41
SECTION AUTHORITY
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
			; client is 1.0.0.0
	00 08 		; OPC
	00 05 		; option length
	00 01 		; Family
	08 00 		; source mask, scopemask
	01		; address
HEX_EDNSDATA_END
ENTRY_END
RANGE_END

; Put an item in subnet cache
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 08	; ip4, source 8, scope 8
	7f   		; 127.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

STEP 20 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ttl
REPLY QR RD RA DO NOERROR
SECTION QUESTION
www.example.com.		IN A
SECTION ANSWER
www.example.com.	10	IN A	10.20.30.40
SECTION AUTHORITY
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 08	; ip4, source 8, scope 8
	7f		; 127.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

; There is a valid subnet query in cache.
; this query timeouts.
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 00	; ip4, source 8, scope 0
	01   		; 1.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

; This query faces timeouts during the resolution.
; The timeouted query is the 1.0.0.0/8 subnet lookup of www.example.com. A.
STEP 31 TIMEOUT
STEP 32 TIMEOUT
STEP 33 TIMEOUT

STEP 40 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD DO RA SERVFAIL
SECTION QUESTION
www.example.com.	IN A
ENTRY_END

; Check if subnet cache item can be accessed.
STEP 50 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 00	; ip4, source 8, scope 0
	7f   		; 127.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

STEP 60 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ttl
REPLY QR RD RA DO NOERROR
SECTION QUESTION
www.example.com.		IN A
SECTION ANSWER
www.example.com.	10	IN A	10.20.30.40
SECTION AUTHORITY
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 08	; ip4, source 8, scope 8
	7f		; 127.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

; the existing subnet cache item can be accessed.
; but another resolution, is now not cached at all?
STEP 70 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 00	; ip4, source 8, scope 0
	01   		; 1.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

STEP 80 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD DO RA SERVFAIL
SECTION QUESTION
www.example.com.	IN A
ENTRY_END

; after a couple of seconds, the servfail entry should have cleared.
STEP 90 TIME_PASSES ELAPSE 10

STEP 100 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 00	; ip4, source 8, scope 0
	01   		; 1.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

STEP 110 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ttl
REPLY QR RD RA DO NOERROR
SECTION QUESTION
www.example.com.		IN A
SECTION ANSWER
www.example.com.	10	IN A	10.20.30.41
SECTION AUTHORITY
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 08 00 05	; OPC, optlen
	00 01 08 08	; ip4, source 8, scope 8
	01		; 1.0.0.0/8
HEX_EDNSDATA_END
ENTRY_END

SCENARIO_END
@


1.1.1.1
log
@Import unbound 1.25.1 (previous was 1.24.2)

Bug Fixes

Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation.
Thanks to Qifan Zhang, Palo Alto Networks, for the report.

Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie,
padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.

Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.

Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths
from 'calif.io' for the report.

Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo
Alto Networks, for the report.

Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades
performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto
Networks, for the report.

Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.

Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash
calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report.

Fix CVE-2026-42960, Possible cache poisoning attack while following
delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun
Chen, Tsinghua University, for the report.

Fix CVE-2026-44390, Unbounded name compression in certain cases causes
degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.

Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan
Zhang, Palo Alto Networks, for the report.

For changes to older versions see:

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1
@
text
@@