head 1.1; branch 1.1.1; access ; symbols unbound-1-25-1:1.1.1.1 NLNETLABS:1.1.1; locks ; strict; comment @# @; 1.1 date 2026.05.21.16.11.47; author christos; state Exp; branches 1.1.1.1; next ; commitid KUtmCKdRNks7oHGG; 1.1.1.1 date 2026.05.21.16.11.47; author christos; state Exp; branches ; next ; commitid KUtmCKdRNks7oHGG; desc @@ 1.1 log @Initial revision @ text @# this is the upstream server that has pipelining and responds to queries. server: verbosity: 1 # num-threads: 1 interface: 127.0.0.1@@@@PORT@@ port: @@PORT@@ use-syslog: no directory: . pidfile: "unbound2.pid" chroot: "" username: "" do-not-query-localhost: no tls-port: @@PORT@@ tls-service-key: "unbound_server.key" tls-service-pem: "unbound_server.pem" tcp-idle-timeout: 10000 log-queries: yes log-replies: yes log-identity: "upstream" local-zone: "." refuse local-zone: "example.com" static local-data: "www.example.com A 10.20.30.40" local-data: "www1.example.com A 10.20.30.41" local-data: "www2.example.com A 10.20.30.42" local-data: "www3.example.com A 10.20.30.43" local-data: "www4.example.com A 10.20.30.44" local-data: "www5.example.com A 10.20.30.45" local-data: "www6.example.com A 10.20.30.46" local-data: "www7.example.com A 10.20.30.47" local-data: "www.example.org A 10.20.31.40" local-data: "badname.example.org A 10.20.31.41" # if queries escape, send them to localhost forward-zone: name: "." forward-tls-upstream: yes forward-addr: "127.0.0.1@@@@TOPORT@@" @ 1.1.1.1 log @Import unbound 1.25.1 (previous was 1.24.2) Bug Fixes Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and JianJun Chen, Tsinghua University, for the report. Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for the report. Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to Qifan Zhang, Palo Alto Networks, for the report. For changes to older versions see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1 @ text @@