Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:unbound User: [email protected] Usertags: pu
[ Reason ] There's a single bugfix in this release (compared with the version currently in trixie), #1129922. In short, unbound in trixie, with certain configuration, will hammer root nameservers needlessly with SSL/TLS handshakes. The fix is simple enough, and I agree it should be back-ported to current debian stable at least. [ Tests ] In my testing, the fix (back-ported trixie version of unbound) seem to work correctly and does not do any visible harm. [ Risks ] The fix (2 patches from upstream) is small, focused and understandable, I don't expect any breakage from it. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Additional Info ] https://github.com/NLnetLabs/unbound/issues/1247 Thanks, /mjt diff -Nru unbound-1.22.0/debian/changelog unbound-1.22.0/debian/changelog --- unbound-1.22.0/debian/changelog 2025-11-26 23:12:47.000000000 +0300 +++ unbound-1.22.0/debian/changelog 2026-03-15 16:38:29.000000000 +0300 @@ -1,3 +1,12 @@ +unbound (1.22.0-2+deb13u2) trixie; urgency=medium + + * two patches from upstream to avoid ssl handshake to root NSes: + 1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch + 1247-turn-off-fetch-policy-for-delegation-when.patch + (Closes: #1129922) + + -- Michael Tokarev <[email protected]> Sun, 15 Mar 2026 16:38:29 +0300 + unbound (1.22.0-2+deb13u1) trixie-security; urgency=high [ Guilhem Moulin ] diff -Nru unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch --- unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch 1970-01-01 03:00:00.000000000 +0300 +++ unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch 2026-03-15 16:22:08.000000000 +0300 @@ -0,0 +1,26 @@ +From ca153f465723c3cefdaa7d299962369bc95da7c0 Mon Sep 17 00:00:00 2001 +From: Yorgos Thessalonikefs <[email protected]> +Date: Wed, 25 Jun 2025 13:56:50 +0200 +Subject: Fix #1247: forward-first: ssl handshake failed on root nameservers +Comment: doc/Changelog changes skipped +Origin: upstream, https://github.com/NLnetLabs/unbound/issues/1247 +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/1129922 + +diff --git a/iterator/iterator.c b/iterator/iterator.c +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2180,6 +2180,10 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, + a->lame, a->tls_auth_name, -1, NULL); + } + lock_rw_unlock(&qstate->env->hints->lock); ++ /* copy over some configuration since we update the ++ * delegation point in place */ ++ iq->dp->tcp_upstream = dp->tcp_upstream; ++ iq->dp->ssl_upstream = dp->ssl_upstream; + } + iq->dp->has_parent_side_NS = 1; + } else if(!iq->dp->has_parent_side_NS) { +-- +2.47.3 + diff -Nru unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch --- unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch 1970-01-01 03:00:00.000000000 +0300 +++ unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch 2026-03-15 16:13:02.000000000 +0300 @@ -0,0 +1,55 @@ +From e2814fe1651825cd5c7f21032e27e4326111f8f4 Mon Sep 17 00:00:00 2001 +From: Yorgos Thessalonikefs <[email protected]> +Date: Wed, 25 Jun 2025 13:59:17 +0200 +Subject: For #1247, turn off fetch-policy for delegation when + looking into parent side name servers that may not update the addresses and + hit NXNS limits +Comment: doc/Changelog changes skipped +Origin: upstream, https://github.com/NLnetLabs/unbound/issues/1247 +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/1129922 + +diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h +--- a/iterator/iter_delegpt.h ++++ b/iterator/iter_delegpt.h +@@ -79,6 +79,16 @@ struct delegpt { + * Also true if the delegationpoint was created from a delegation + * message and thus contains the parent-side-info already. */ + uint8_t has_parent_side_NS; ++ /** if true, the delegation point has reached last resort processing ++ * and the parent side information has been possibly added to the ++ * delegation point. ++ * For now this singals that further target lookups will ignore ++ * the configured target-fetch-policy and only resolve on ++ * demand to try and avoid triggering limits at this stage (.i.e, it ++ * is very likely that the A/AAAA queries for the newly added name ++ * servers will not yield new IP addresses and trigger NXNS ++ * countermeasures. */ ++ uint8_t fallback_to_parent_side_NS; + /** for assertions on type of delegpt */ + uint8_t dp_type_mlc; + /** use SSL for upstream query */ +diff --git a/iterator/iterator.c b/iterator/iterator.c +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2152,6 +2152,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, + verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL"); + return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); + } ++ iq->dp->fallback_to_parent_side_NS = 1; + if(qstate->env->cfg->harden_unverified_glue) { + if(!cache_fill_missing(qstate->env, iq->qchase.qclass, + qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE)) +@@ -2772,7 +2773,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + } + /* if the mesh query list is full, then do not waste cpu and sockets to + * fetch promiscuous targets. They can be looked up when needed. */ +- if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) { ++ if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc ++ && !mesh_jostle_exceeded(qstate->env->mesh)) { + tf_policy = ie->target_fetch_policy[iq->depth]; + } + +-- +2.47.3 + diff -Nru unbound-1.22.0/debian/patches/series unbound-1.22.0/debian/patches/series --- unbound-1.22.0/debian/patches/series 2025-11-26 23:12:47.000000000 +0300 +++ unbound-1.22.0/debian/patches/series 2026-03-15 16:08:45.000000000 +0300 @@ -2,3 +2,5 @@ Fix-RebirthDay-Attack-CVE-2025-5994.patch CVE-2025-11411.patch CVE-2025-11411-additional-nodata.patch +1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch +1247-turn-off-fetch-policy-for-delegation-when.patch
