Package: unbound Version: 1.22.0-2+deb13u1 Severity: important Tags: security
The /etc/resolvconf/update.d/unbound hook is now executable by default on new
installs. This causes unbound to silently forward all queries to upstream nameservers (provided by DHCP/resolvconf) instead of performing recursive resolution starting from root servers. This is problematic for several reasons: 1. UNEXPECTED BEHAVIOR: Users installing a "recursive resolver" expect recursive resolution, not forwarding. The package description says "validating, recursive, caching DNS resolver" - not "forwarder". 2. PRIVACY LEAK: All DNS queries are sent to upstream resolvers (e.g., hosting provider's DNS) instead of being resolved directly. Users setting up their own resolver often do so specifically to avoid this. 3. CACHE POISONING EXPOSURE: The upstream resolver's stale cache can override authoritative data. In my case, a domain migration was invisible for hours because Hetzner's resolvers had cached old NS records, despite authoritative servers being correctly updated. 4. DNSSEC ISSUES: As noted in the hook's own comments, this can break DNSSEC validation if upstream doesn't support it properly. 5. SILENT FAILURE: There is no warning during installation or in logs that unbound is operating as a forwarder rather than a recursive resolver. The hook script itself acknowledges these issues: > "This hook can be problematic, especially if the upstream nameservers > do not perform DNSSEC validation correctly." Yet it is now enabled by default. SUGGESTED FIX: - Default to disabled (chmod -x) as it was in previous releases - Or add debconf prompt asking user's preferred mode - Or at minimum, log a warning when forwarding is active WORKAROUND: chmod -x /etc/resolvconf/update.d/unbound unbound-control forward off -- System Information: Debian Release: 13.2 (trixie) Architecture: amd64 Kernel: Linux 6.12.57-1 Robin Labadie LRob
