Ldns 1.9.1 released

wtoorop · June 10, 2026, 6:57am

ldns 1.9.1 is available:

https://nlnetlabs.nl/downloads/ldns/ldns-1.9.1.tar.gz

sha256 e2aa09b6d88c6aa01efa658d7a8aa9d9922d557a9cf166818991f81e1cab2b61
pgp https://nlnetlabs.nl/downloads/ldns/ldns-1.9.1.tar.gz.asc

This release has a single security fix:

NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality, vulnerable for off-path poisoning attacks.

The release is signed with the OpenPGP software signing key that is in use since Jan 1st 2026:

User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from NLnet Labs - Software Signing Keys

Bug fix:

Fix CVE-2026-10846: Insufficient verification that responses belong to a query. Thanks Pablo Ruiz from ‘codecome.ai’ for the report

wtoorop · June 10, 2026, 1:56pm

Beware! The 1.9.1 release has a bug in bumping the .so version from 3 to 11 (which should have been reserved for a 1.10.0 release). A version 1.9.2 will be released shortly with this bump in .so reverted.