Hi!
First things first, thank you for the great product.
However, my Fedora package has failed again on PGP key verification. New
release is signed with key 948EB42322C5D00B79340F5DCFF3344D9087A490.
My previous key of Wouter were not recognized. Then I realized previous
release were not signed by Yorgos. But some previous were. I went to
NLNetlabs People page [1] to find who that george might be. And
surprise, no George at all.
When I refreshed the key of Yorgos, I found then I am not under attack
and I already have such key, but not with this id.
gpgv: Signature made Wed Oct 22 11:16:18 2025 CEST
gpgv: using RSA key 948EB42322C5D00B79340F5DCFF3344D9087A490
gpgv: issuer "[email protected]"
gpgv: Can't check signature: No public key
Anyway, could be please created one file published over HTTPS, which
would contain both people creating source archives recently?
I had to put one key or another key [2] into my spec file, it is somehow
unwanted, especially in archive signature verification.
It would be better if unbound page [3] could contain at least
description which people may sign the release. Ideally combined single
file, which I may refresh on new release if in doubt.
Thank you in advance!
1. https://nlnetlabs.nl/people/
2.
https://src.fedoraproject.org/rpms/unbound/blob/rawhide/f/unbound.spec#_222
3. https://nlnetlabs.nl/projects/unbound/about/
On 22/10/2025 12:20, Yorgos Thessalonikefs via Unbound-users wrote:
Hi,
Unbound 1.24.1 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.24.1.tar.gz
sha256 7f2b1633e239409619ae0527f67878b0f33ae0ec0ee5a3a51c042c359ba1eeab
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.24.1.tar.gz.asc
This security release fixes CVE-2025-11411.
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.
The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
Duan from Tsinghua University for discovering and responsibly disclosing
the vulnerability.
Bug Fixes:
- Fix CVE-2025-11411 (possible domain hijacking attack), reported by
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua
University.
This Unbound release is signed by my PGP key.
You can find my public PGP key at https://nlnetlabs.nl/people/.
Also on the online key servers like
https://keyserver.ubuntu.com/pks/lookup?search=948eb42322c5d00b79340f5dcff3344d9087a490&fingerprint=on&op=index
which is additionally signed with Wouter's key as well.
Both Wouter's (PGP Key ID: 9F6F 1C2D 7E04 5F8D)
and my key (PGP Key ID: CFF3 344D 9087 A490)
will be eligible for signing releases from now.
Best regards,
-- Yorgos
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
