* Mon Aug 11 2025 mrueckert@suse.de
- simplify python handling. python2 support is dropped and python3
is built by default. Conditionals for the latter are removed.
* Mon Aug 11 2025 mrueckert@suse.de
- enable EDNS subnet handling
* Sun Aug 10 2025 mrueckert@suse.de
- Update to 1.23.1: (boo#1246625)
Bug Fixes:
* Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
AOSP Lab Nankai University.
- our package was not built with EDNS subnet support up to this
point and therefor was not affected.
* Sun Aug 10 2025 mrueckert@suse.de
- prepare enabling quic support:
currently fails on missing quic support in openssl. aws-lc is
sadly not a drop in replacement for unbound.
- enable TCP Fast Open for the server and client
- remove unused --with-ldns option
- enable cachedb including hiredis support on Tumbleweed
new BuildRequires pkgconfig(libhiredis)
* Sun Jul 20 2025 mia@0x0.st
- Remove leftover dependency on sudo (not required)
See also: boo#1215628
* Thu Apr 24 2025 jorik.cronenberg@suse.com
- Update to 1.23.0:
Features:
* Increase the default of max-global-quota to 200 from 128 after
operational feedback. Still keeping the possible amplification
factor (CAMP related issues) in the hundreds.
* Fix #1175: serve-expired does not adhere to secure-by-default
principle. The default value of serve-expired-client-timeout
is set to 1800 as suggested by RFC8767.
* For #1175, the default value of serve-expired-ttl is set to 86400
(1 day) as suggested by RFC8767.
* For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
* Add resolver.arpa and service.arpa to the default locally served
zones.
* Merge #1042: Fast Reload. The unbound-control fast_reload is added.
It reads changed config in a thread, then only briefly pauses the
service threads, that keep running. DNS service is only interrupted
briefly, less than a second.
* Merge #1019: Redis read-only replica support.
Introduces new 'redis-replica-*' options for the Redis cache backend.
* Merge #902: DNS Error Reporting (RFC 9567). Introduces new
configuration option 'dns-error-reporting' and new statistics for
'num.dns_error_reports'.
Bug Fixes:
* Fix #1154: Tag Incorrectly Applying for Other Interfaces
Using the Same IP. This fix is not for 1.22.0.
* Fix #1163: Typos in unbound.conf documentation.
* Merge #1159: Stats for discard-timeout and wait-limit.
* Add test case for #1159.
* Some clean up for stat_values.test.
* Merge #1170 from Melroy van den Berg, Fix chroot manpage
description.
* Merge #1157 from Liang Zhu, Fix heap corruption when calling
ub_ctx_delete in Windows.
* Fix redis that during a reload it does not fail if the redis
server does not connect or does not respond. It still logs the
errors and if the server is up checks expiration features.
* Merge #1167: Makefile.in: fix occasional parallel build failures
around bison rule.
* Fix SETEX check during Redis (re)initialization.
* Fix for the serve expired DNSSEC information fix, it would not allow
current delegation information be updated in cache. The fix allows
current delegation and validation recursion information to be
updated, but as a consequence no longer has certain expired
information around for later dnssec valid expired responses.
* Fix to log redis timeout error string on failure.
* More descriptive text for 'harden-algo-downgrade'.
* Complete fix for max-global-quota to 200.
* Fix #1183: the data being used is released in method
nsec3_hash_test_entry.
* Fix for #1183: release nsec3 hashes per test file.
* Merge #1169 from Sergey Kacheev, fix: lock-free counters for
auth_zone up/down queries.
* Fix comparison to help static analyzer.
* For #1175, update serve-expired tests.
* Merge #1189: Fix the dname_str method to cause conversion errors
when the domain name length is 255.
* Merge #1197: dname_str() fixes.
* Merge #1198: Fix log-servfail with serve expired and no useful cache
contents.
* Safeguard alias loop while looking in the cache for expired answers.
* Merge #1187: Create the SSL_CTX for QUIC before chroot and privilege
drop.
* Fix typo in log_servfail.tdir test.
* Merge #1204: ci: set persist-credentials: false for actions/checkout
per zizmor suggestion.
* Merge #1174: Serve expired cache update fixes. Fixes a regression bug
with serve-expired that appeared in 1.22.0 and would not allow the
iterator to update the cache with not-yet-validated entries resulting
in increased outgoing traffic.
* Merge #1214: Use TCP_NODELAY on TLS sockets to speed up the TLS
handshake.
* Fix #1213: Misleading error message on default access control causing
refuse.
* Merge #1221: Consider auth zones when checking for forwarders.
* Merge #1222: Unique DoT and DoH SSL contexts to allow for different
ALPN.
* Create the quic SSL listening context only when needed.
* Fix compile of interface check code when dnscrypt or quic is
disabled.
* Fix encoding of RR type ATMA.
* Fix to check length in ATMA string to wire.
* Merge #1229: check before use daemon->shm_info.
* Use the same interface listening port discovery code for all needed
protocols.
* Port to string only when needed before getaddrinfo().
* Do not open unencrypted channels next to encrypted ones on the same
port.
* Merge #1224 from Theo Buehler: Do not use DSA API unless USE_DSA is
set.
* Merge #1220 from Petr Menšík, Add unbound members group access to
control key.
* Make the default value of module-config "validator iterator"
regardless of compilation options. --enable-subnet would implicitly
change the value to enable the subnetcache module by default in the
past.
* Fix #986: Resolving sas.com with dnssec-validation fails though
signed delegations seem to be (mostly) correct.
Consider reconfigurations when calculating the still_useful_timeout
for servers in the infrastructure cache.
* Fix static analysis report about unhandled EOF on error conditions
when reading anchor key files.
* Merge #1241: Fix infra-keep-probing for low infra-cache-max-rtt
values.
* Fix hash calculation for cachedb to ignore case. Previously, cached
records there were only relevant for same case queries (if not
already in Unbound's internal cache).
* Merge #1243: Do not shadow tm on line 236.
* Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
Add --help output description for the SOURCE_DATE_EPOCH variable.
* Fix 'unbound-control flush_negative' when reporting removed data;
reported by David 'eqvinox' Lamparter.
* Fix representation of types GPOS and RESINFO, add rdf type for
unquoted str.
* Fix #1251: WSAPoll first argument cannot be NULL.
* Fix for windows compile create ssl contexts.
* Fix print of RR type NSAP-PTR, it is an unquoted string.
* Fix #1253: Cache entries fail to be removed from Redis cachedb
backend with unbound-control flush* +c.
* Fix for #1253: Fix for redis cachedb backend to expect an integer
reply for the EXPIRE command.
* Fix #1254: send failed: Socket is not connected and
remote address is 0.0.0.0 port 53.
* Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
* For #1255, for ios use an older expat version that does not require
C++11 language features.
* For #1255, for ios disable building tests that require C++11.
* For #1255, for ios try the latest expat version again.
* Fix unit test dname log printout typecast.
* Fix for ci test, expat is installed on the osx image.
* iana portlist update.
* Skip the unit tests for auth_tls.tdir and auth_tls_failcert.tdir.
* Fix escape more characters when printing an RR type with an unquoted
string.
* Enable the auth_tls.tdir and auth_tls_failcert.tdir tests.
* Fix unbound-control test so it counts the new flush_negative output,
also answers the _ta probe from testns and prints command output
and skip a thread specific test when no threads are available.
* Fix that ub_event has the facility to deal with callbacks for
fast reload, doq, windows-stop and dnstap.
* Fix fast reload test to check if pid exists before acting on it.
* Merge #1262 from markyang92, fix build with
'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
* For #1262, ifdef is no longer needed.
* Fix #1263: Exempt loopback addresses from wait-limit.
* Fix wait-limit-netblock and wait-limit-cookie-netblock config parse
to allow two arguments.
* Fix ub_event and include dnstap and win_svc headers.
* Fix test for stat_values for wait limit defaults for localhost.
* Fix parameter unused warning in net_help.c.
* Fix mesh_copy_client_info to omit null contents from copy.
* Fix comment name in the rpz nsdname test.
* Fix nettle compile for warnings and ticket keys.
* Fix redis_replica test for unused option defaults and log printout.
* Fix test to speed up common.sh script kill_pid.
* Fix to update common.sh for speed of kill_pid.
* Update to the manpage for the fast_reload part.
* Fix fast_reload to print chroot with config file name.
* Fix to detect if atomic_store links in configure.
* Fix #1264: unbound 1.22.0 leaks memory when doing DoH.
* Fix for print of connection type in log-replies for dot and doh.
* Merge #1265: Fix WSAPoll.
* Wed Nov 27 2024 opensuse_buildservice@ojkastl.de
- add workaround for bug
https://github.com/NLnetLabs/unbound/issues/509
Starting up with 127.0.0.1 in the /etc/resolv.conf leads to long
delays if the anchor update is being run as ExecStartPre in the
unbound service
* Fri Oct 18 2024 jorik.cronenberg@suse.com
- Update to 1.22.0:
Features:
* Add iter-scrub-ns, iter-scrub-cname and max-global-quota
configuration options.
* Merge patch to fix for glue that is outside of zone, with
`harden-unverified-glue`, from Karthik Umashankar (Microsoft).
Enabling this option protects the Unbound resolver against bad
glue, that is unverified out of zone glue, by resolving them.
It uses the records as last resort if there is no other working
glue.
* Add redis-command-timeout: 20 and redis-connect-timeout: 200,
that can set the timeout separately for commands and the
connection set up to the redis server. If they are not
specified, the redis-timeout value is used.
* Log timestamps in ISO8601 format with timezone. This adds the
option `log-time-iso: yes` that logs in ISO8601 format.
* DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`
that enable dnsoverquic, and the counters `num.query.quic` and
`mem.quic` in the statistics output. The feature needs to be
enabled by compiling with libngtcp2, with
`--with-libngtcp2=path` and libngtcp2 needs openssl+quic, pass
that with `--with-ssl=path` to compile unbound as well.
Bug Fixes:
* unbound-control-setup hangs while testing for openssl presence
starting from version 1.21.0.
* Fix error: "memory exhausted" when defining more than 9994
local-zones.
* Fix documentation for cache_fill_missing function.
* Fix Loads of logs: "validation failure: key for validation
<domain>. is marked as invalid because of a previous" for
non-DNSSEC signed zone.
* Fix that when rpz is applied the message does not get picked up
by the validator. That stops validation failures for the
message.
* Fix that stub-zone and forward-zone clauses do not exhaust
memory for long content.
* Fix to print port number in logs for auth zone transfer
activities.
* b.root renumbering.
* Add new IANA trust anchor.
* Fix config file read for dnstap-sample-rate.
* Fix alloc-size and calloc-transposed-args compiler warnings.
* Fix to limit NSEC and NSEC3 TTL when aggressive nsec is enabled
(RFC9077).
* Fix dns64 with prefetch that the prefetch is stored in cache.
* Attempt to further fix doh_downstream_buffer_size.tdir
flakiness.
* More clear text for prefetch and minimal-responses in the
unbound.conf man page.
* Fix cache update when serve expired is used. Expired records
are favored over resolution and validation failures when
serve-expired is used.
* Fix negative cache NSEC3 parameter compares for zero length
NSEC3 salt.
* Fix unbound-control-setup hangs sometimes depending on the
openssl version.
* Fix Cannot override tcp-upstream and tls-upstream with
forward-tcp-upstream and forward-tls-upstream.
* Fix to limit NSEC TTL for messages from cachedb. Fix to limit
the prefetch ttl for messages after a CNAME with short TTL.
* Fix to disable detection of quic configured ports when quic is
not compiled in.
* Fix harden-unverified-glue for AAAA cache_fill_missing lookups.
* Fix contrib/aaaa-filter-iterator.patch for change in call
signature for cache_fill_missing.
* Fix to display warning if quic-port is set but dnsoverquic is
not enabled when compiled.
* Fix dnsoverquic to extend the number of streams when one is
closed.
* Fix for dnstap with dnscrypt and dnstap without dnsoverquic.
* Fix for dnsoverquic and dnstap to use the correct dnstap
environment.
- Update keyring
* Mon Oct 07 2024 jorik.cronenberg@suse.com
- Update to 1.21.1:
Security Fixes:
* Fix CVE-2024-8508, unbounded name compression could lead to
denial of service.
[CVE-2024-8508, bsc#1231284]
- Update keyring
* Thu Aug 15 2024 jorik.cronenberg@suse.com
- Update to 1.21.0:
Security Fixes:
* Merge #1073: fix null pointer dereference issue in function
ub_ctx_set_fwd.
[CVE-2024-43167, bsc#1229068]
Features:
* Fix #1071: [FR] Clear both in-memory and cachedb module cache
with `unbound-control flush*` commands.
* Fix #144: Port ipset to BSD pf tables.
* Add dnstap-sample-rate that logs only 1/N messages, for high
volume server environments. Thanks Dan Luther.
* Add root key 38696 from 2024 for DNSSEC validation. It is added
to the default root keys in unbound-anchor. The content can be
inspected with `unbound-anchor -l`.
* Merge #1090: Cookie secret file. Adds `cookie-secret-file:
"unbound_cookiesecrets.txt"` option to store cookie secrets for
EDNS COOKIE secret rollover. The remote control
add_cookie_secret, activate_cookie_secret and
drop_cookie_secret commands can be used for rollover, the
command print_cookie_secrets shows the values in use.
Bug Fixes:
* Fix CAMP issues with global quota. Thanks to Huayi
Duan, Marco Bearzi, Jodok Vieli, and Cagin Tanir from NetSec
group, ETH Zurich.
* Fix CacheFlush issues with limit on NS RRs. Thanks to Yehuda
Afek, Anat Bremler-Barr, Shoham Danino and Yuval Shavitt
(Tel-Aviv University and Reichman University).
* Merge #1062: Fix potential overflow bug while parsing port in
function cfg_mark_ports.
* Fix for #1062: declaration before statement, avoid print of
null, and redundant check for array size.
* Fix to squelch udp connect errors in the log at low verbosity
about invalid argument for IPv6 link local addresses.
* Fix when the mesh jostle is exceeded that nameserver targets
are marked as resolved, so that the lookup is not stuck on the
requestlist.
* Add missing common functions to tdir tests.
* Merge #1070: Fix rtt assignement for low values of
infra-cache-max-rtt.
* Merge #1069: Fix unbound-control stdin commands for
multi-process Unbounds.
* Fix unbound-control commands that read stdin in multi-process
operation (local_zones_remove, local_zones, local_datas_remove,
local_datas, view_local_datas_remove, view_local_datas). They
will be properly distributed to all processes. dump_cache and
load_cache are no longer supported in multi-process operation.
* Remove testdata/remote-threaded.tdir.
testdata/09-unbound-control.tdir now checks both single and
multi process/thread operation.
* Fix to print a parse error when config is read with no name for
a forward-zone, stub-zone or view.
* Fix for parse end of forward-zone, stub-zone and view.
* Fix for #1064: Fix that cachedb expired messages are considered
insecure, and thus can be served to clients when dnssec is
enabled.
* Fix #1059: Intermittent DNS blocking failure with local-zone
and always_nxdomain. Addition of local_zones dynamically via
unbound-control was not finding the zone's parent correctly.
* Fix #1064: Unbound 1.20 Cachedb broken?
* Fix unused variable warning on compilation with no thread
support.
* unbound-control-setup: check openssl availability before doing
anything, patch from Michael Tokarev.
* Update patch to remove 'command' shell builtin and update error
text.
* Fix to enable that SERVFAIL is cached, for a short period, for
more cases. In the cases where limits are exceeded.
* Fix spelling of tcp-idle-timeout docs, from Michael Tokarev.
* Merge #1078: Only check old pid if no username.
* Fix #1079: tags from tagged rpz zones are no longer honored
after upgrade from 1.19.3 to 1.20.0.
* Fix for #1079: fix RPZ taglist in iterator callback that no
client info is like no taglist intersection.
* Fix to squelch connection reset by peer errors from log. And
fix that the tcp read errors are labeled as initial for the
first calls.
* Merge #1080: AddressSanitizer detection in tdir tests and
memory leak fixes.
* Fix memory leak when reload_keep_cache is used and num-threads
changes.
* Fix memory leak on exit for unbound-dnstap-socket; creates
false negatives during testing.
* Fix memory leak in setup of dsa sig.
* Fix typos for 'the the' in text.
* Fix validation for repeated use of a DNAME record.
* Add unit test for validation of repeated use of a DNAME record.
* Fix #1091: Build fails with OpenSSL >= 3.0 built with
OPENSSL_NO_DEPRECATED.
* Fix #1092: Ubuntu 22.04 Jammy fails to compile unbound 1.20.0;
by adding helpful text for the Python interpreter version and
allowing the default pkg-config unavailability error message to
be shown.
* Fix pkg-config availability check in dnstap/dnstap.m4 and
systemd.m4.
* Explicitly set the RD bit for the mesh query flags when
prefetching. These queries have no waiting client but they need
to be treated as recursive.
* Fix ip-ratelimit-cookie setting, it was not applied.
* Fix to remove unused include from the readzone test program.
* Fix unused variable warning in do_cache_remove.
* Fix compile warning in worker pthread id printout.
* Add unit test skip files and bison and flex output to
gitignore.
* Fix to use modstack_init in zonemd unit test.
* Fix to remove unneeded linebreak in fptr_wlist.c.
* Fix compile warnings in fptr_wlist.c.
* Fix for repeated use of a DNAME record: first overallocate and
then move the exact size of the init value to avoid false
positive heap overflow reads from address sanitizers.
* Fix to print details about the failure to lookup a DNSKEY
record when validation fails due to the missing DNSKEY. Also
for key prime and DS lookups.
* Fix for neater printout for error for missing DS response.
* Fix neater printout.
* Fix #1099: Unbound core dump on SIGSEGV.
* Fix for #1099: Fix to check for deleted RRset when the contents
is updated and fetched after it is stored, and also check for a
changed RRset.
* Don't check for message TTL changes if the RRsets remain the
same.
* Fix that validation reason failure that uses string print uses
separate buffer that is passed, from the scratch validation
buffer.
* Fixup algo_needs_reason string buffer length.
* Fix shadowed error string variable in validator dnskey
handling.
* Update list of known EDE codes.
* For #773: In contrib/unbound.service.in set unbound to start
after network-online.target. Also for
contrib/unbound_portable.service.in.
* Fix #1103: unbound 1.20.0 segmentation fault with nghttp2.
* For #1103: fix to also drop mesh state reference when a h2
reply is dropped.
* Add RPZ tag tests in acl_interface.tdir.
* For #1102: clearer text for using interface-* options for the
loopback interface.
* For #1103: fix to also drop mesh state reference when the
discard limit is reached, when there is an error making a new
recursion state and when the connection is dropped with
is_drop.
* For #1103: Fix to drop mesh state reference for the http2
stream associated with the reply, not the currently active
stream. And it does not remove it twice on a mesh_send_reply
call. The reply h2_stream is NULL when not in use, for more
initialisation.
* Fix dnstap wakeup, a running wakeup timer is left to expire and
not increased, a timer is started when the dtio thread is
sleeping, the timer set disabled when the dtio thread goes to
sleep, and after sleep the thread checks to see if there are
messages to log immediately.
* Merge #1110: Make fallthrough explicit for libworker.c.
* For #1110: Test for fallthrough attribute in configure and add
fallthrough attribute annotations.
* Fix compile when the compiler does not support the noreturn
attribute.
* Fix to have empty definition when not supported for weak
attribute.
* Fix uninitialized variable warning in create_tcp_accept_sock.
* Fix link of dnstap without openssl.
* Fix link of unbound-dnstap-socket without openssl.
* Fix #1106: ratelimit-below-domain logs the wrong FROM address.
* Cleanup ede.tdir test.
* For #935 and #1104, clarify RPZ order and semantics.
* Fix to document parameters of auth_zone_verify_zonemd_with_key.
* Fix for #1114: Fix that cache fill for forward-host names is
performed, so that with nonzero target-fetch-policy it fetches
forwarder addresses and uses them from cache. Also updated that
delegation point cache fill routines use CDflag for AAAA
message lookups, so that its negative lookup stops a recursion
since the cache uses the bit for disambiguation for dns64 but
the recursion uses CDflag for the AAAA target lookups, so the
check correctly stops a useless recursion by its cache lookup.
* Fix dnstap test program, cleans up to have clean memory on
exit, for tap_data_free, does not delete NULL items. Also it
does not try to free the tail, specifically in the free of the
list since that picked up the next item in the list for its
loop causing invalid free. Added internal unit test to
unbound-dnstap-socket for that.
* Fix that the worker mem report with alloc stats does not
attempt to print memory use of forwards and hints if they have
been deleted already.
* Fix that alloc stats has strdup checks, it stops debuggers from
complaining about mismatch at free time.
* Fix testbound for alloc stats strdup in util/alloc.c.
* Fix that alloc stats for forwards and hints are printed, and
when alloc stats is enabled, the unit test for unbound control
waits for reloads to complete.
* Fix that for windows the module startup is called and sets up
the module-config.
* Fix spelling for the cache-min-negative-ttl entry in the
example.conf.