Unbound 1.13.0 released

Hi,

Unbound 1.13.0 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0.tar.gz
sha256 a954043a95b0326ca4037e50dace1f3a207a0a19e9a4a22f4c6718fc623db2a1
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.13.0.tar.gz.asc

This version has fixes to connect for UDP sockets, slowing down
potential ICMP side channel leakage. The fix can be controlled with the
option udp-connect: yes, it is enabled by default.

Additionally CVE-2020-28935 is fixed, this solves a problem where the
pidfile is altered by a symlink, and fails if a symlink is encountered.
See https://nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt for more
information.

New features are upstream TCP and TLS query reuse, where a channel is
reused for several queries. And http-notls-downstream: yesno for
unencrypted DoH, useful for back end support servers. The option
infra-keep-probing can be used to probe hosts that are down more
frequently.

The options edns-client-string and edns-client-string-opcode can be used
to add an EDNS option with the specified string in queries towards
servers, with the servers specified by IP address. It replaces the
edns-client-tag option.

The released version equals the 1.13.0rc4 with an added fix for stream
reuse and tcp fast open.

Features
- Pass the comm_reply information to the inplace_cb_reply* functions
  during the mesh state and update the documentation on that.
- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
  This adds the option http-notls-downstream: yesno to change that,
  and the dohclient test code has the -n option.
- Merge PR #228 : infra-keep-probing option to probe hosts that are
  down. Add infra-keep-probing: yes option. Hosts that are down are
  probed more frequently.
  With the option turned on, it probes about every 120 seconds,
  eventually after exponential backoff, and that keeps that way. If
  traffic keeps up for the domain. It probes with one at a time, eg.
  one query is allowed to probe, other queries within that 120 second
  interval are turned away.
- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
  edns-client-string option.
- Merge PR #283 : Stream reuse. This implements upstream stream
  reuse for performing several queries over the same TCP or TLS
  channel.
- Fix to connect() to UDP destinations, default turned on,
  this lowers vulnerability to ICMP side channels.
  Option to toggle udp-connect, default is enabled.

Bug Fixes
- Fix #319: potential memory leak on config failure, in rpz config.
- Fix dnstap socket and the chroot not applied properly to the dnstap
  socket path.
- Fix warning in libnss compile, nss_buf2dsa is not used without DSA.
- Fix #323: unbound testsuite fails on mock build in systemd-nspawn
  if systemd support is build.
- Fix for python reply callback to see mesh state reply_list member,
  it only removes it briefly for the commpoint call so that it does
  not drop it and attempt to modify the reply list during reply.
- Fix that if there are on reply callbacks, those are called per
  reply and a new message created if that was modified by the call.
- Free up auth zone parse region after use for lookup of host
- Merge PR #326 from netblue30: DoH: implement content-length
  header field.
- DoH content length, simplify code, remove declaration after
  statement and fix cast warning.
- Fix that if there are reply callbacks for the given rcode, those
  are called per reply and a new message created if that was modified
  by the call.
- Fix that the out of order TCP processing does not limit the
  number of outstanding queries over a connection.
- Fix python documentation warning on functions.rst inplace_cb_reply.
- Log ip address when http session recv fails, eg. due to tls fail.
- Fix to set the tcp handler event toggle flag back to default when
  the handler structure is reused.
- Clean the fix for out of order TCP processing limits on number
  of queries. It was tested to work.
- Fix that http settings have colon in set_option, for
  http-endpoint, http-max-streams, http-query-buffer-size,
  http-response-buffer-size, and http-nodelay.
- Fix memory leak of https port string when reading config.
- local-zone regional allocations outside of chunk
- Merge PR #324 from James Renken: Add modern X.509v3 extensions to
  unbound-control TLS certificates.
- Fix for PR #324 to attach the x509v3 extensions to the client
  certificate.
- Fix #327: net/if.h check fails on some darwin versions; contribution
  by Joshua Root.
- Fix #320: potential memory corruption due to size miscomputation upton
  custom region alloc init.
- Fix #333: Unbound Segmentation Fault w/ log_info Functions From
  Python Mod.
- Fix that minimal-responses does not remove addresses from a priming
  query response.
- In man page note that tls-cert-bundle is read before permission
  drop and chroot.
- Fix #341: fixing a possible memory leak.
- Fix memory leak after fix for possible memory leak failure.
- Fix #343: Fail to build --with-libnghttp2 with error: 'SSIZE_MAX'
  undeclared.
- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
  with chown of pidfile.
- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
  failed to list interfaces: getifaddrs: Address family not
  supported by protocol.
- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
  address families.
- iana portlist updated.
- Fix crash when TLS connection is closed prematurely, when
  reuse tree comparison is not properly identical to insertion.
- Fix padding of struct regional for 32bit systems.
- with udp-connect ignore connection refused with UDP timeouts.
- Fix udp-connect on FreeBSD, do send calls on connected UDP socket.
- Better fix for reuse tree comparison for is-tls sockets. Where
  the tree key identity is preserved after cleanup of the TLS state.
- Fix memory leak for edns client tag opcode config element.
- Attempt fix for libevent state in tcp reuse cases after a packet
  is written.
- Fix readagain and writeagain callback functions for comm point
  cleanup.
- Fix to omit UDP receive errors from log, if verbosity low.
  These happen because of udp-connect.
- For #352: contrib/metrics.awk for Prometheus style metrics output.
- Fix that after failed read, the readagain cannot activate.
- Clear readagain upon decommission of pending tcp structure.
- Fix compile warning for type cast in http2_submit_dns_response.
- Fix when use free buffer to initialize rbtree for stream reuse.
- Fix compile warnings for windows.
- Fix compile warnings in rpz initialization.
- Fix contrib/metrics.awk for FreeBSD awk compatibility.
- Fix assertion failure on double callback when iterator loses
  interest in query at head of line that then has the tcp stream
  not kept for reuse.
- Fix stream reuse and tcp fast open.

Best regards, Wouter

Unbound 1.13.0 is available:

Excellent!

Question on upgrade. I recently installed unbound on Ubuntu 20.04 LTS, they ship 1.9.4. They will probably provide a security backport for CVEs addressed in this release.

I'm however thinking of running the latest.
Is there's anybody maintaining an Ubuntu package no so much behind?

Okay if not, I can compile the source and move my config, no worries.

Thanks,
Maciej

Well, built on first server. Runs ok.

Later will deploy on two others. )

03.12.2020 15:11, Wouter Wijngaards via Unbound-users пишет:

This is great stuff. One piece of fallout, mentioned in case it helps
others: at home, I use IPv6 locally but don't have IPv6 global
connectivity, so was relying upon Unbound handling absent reachable
addresses just fine.

Without configuration changes, this new behavior results in a lot of
logging of the form:

  udp connect failed: Network is unreachable for [...]

To fix it, while leaving IPv6 available to clients on local net, I made
a change I probably should have done ages ago:

    do-not-query-address: ::/0
    prefer-ip4: yes

That is, leave "do-ip6: yes" in place, but then tell the resolver to not
query any IPv6 address, and to not try that first anyway.

With this change, the new log spam has gone away.

-Phil

Hi Phil,

This version has fixes to connect for UDP sockets, slowing down
potential ICMP side channel leakage. The fix can be controlled with the
option udp-connect: yes, it is enabled by default.

This is great stuff. One piece of fallout, mentioned in case it helps
others: at home, I use IPv6 locally but don't have IPv6 global
connectivity, so was relying upon Unbound handling absent reachable
addresses just fine.

There is a fix in the code repository for this.
https://github.com/NLnetLabs/unbound/commit/5906811ff19f005110b2edbda5aa144ad5fa05b1
It ignores this log chatter at low verbosity.

Best regards, Wouter

You could try the package from Debian’s sid branch. It is currently at 1.12, but I think the maintainer will update it soon to 1.13. With 1.12, there was about a week and a half between the official release and the package becoming available.

However, if you are truly interested in having the latest versions, you might rather want to take a look at Linux distributions with rolling releases for future deployments, such as Arch or TumbleWeed.

Many thanks for all the fine releases over the years!

That said, for once I may have an issue in 1.13.0. This morning, my
logs show:

    Dec 14 22:21:13 amnesiac pkg[60360]: unbound-1.13.0 installed
    Dec 26 09:14:52 amnesiac kernel: pid 60404 (unbound), jid 0, uid 59: exited on signal 11
    Dec 26 14:15:31 amnesiac unbound[48856]: [48856:0] warning: did not exit gracefully last time (60404)

Sadly, no core file or any other log messages. Anyone else seen crashes
with 1.13.0? Any known bugs that lead to segfaults?

This is on a FreeBSD 12.0 system, and unbound (built from ports) is not
configured to anything exotic like DoT or DoH:

       ┌──────────────────────────────────────────────────────────────────────────┐
       │ [ ] DNSCRYPT Enable dnscrypt support │
       │ [ ] DNSTAP Enable dnstap logging support │
       │ [x] DOCS Build and/or install documentation │
       │ [ ] DOH Enable DNS-over-HTTPS supports │
       │ [x] ECDSA Enable ECDSA (elliptic curve) support (OpenSSL >= 1.0) │
       │ [ ] EVAPI (Experimental) pluggable event based libunbound API sup│
       │ [ ] FILTER_AAAA Build with AAAA filter functionality (contrib) │
       │ [ ] GOST Enable GOST support (requires OpenSSL >= 1.0) │
       │ [ ] HIREDIS Enable hiredis support for the cachedb module │
       │ [x] LIBEVENT Build against libevent │
       │ [ ] MUNIN_PLUGIN Install Munin plugin │
       │ [ ] PYTHON Python bindings or support │
       │ [ ] SUBNET Enable client subnet support │
       │ [x] TFOCL Enable TCP Fast Open for client mode │
       │ [x] TFOSE Enable TCP Fast Open for server mode │
       │ [x] THREADS Threading support |

This unbound serves only my inside LAN, no public clients:

    /usr/local/etc/unbound.conf:
        server:
                username: unbound
                directory: /usr/local/etc/unbound
                chroot: /usr/local/etc/unbound
                pidfile: /usr/local/etc/unbound/unbound.pid
                auto-trust-anchor-file: /usr/local/etc/unbound/root.key

                unblock-lan-zones: yes
                insecure-lan-zones: yes

                verbosity: 0

                module-config: "validator iterator"
                minimal-responses: yes
                qname-minimisation: no
                cache-max-ttl: 7200
                cache-max-negative-ttl: 1200
                val-sig-skew-min: 3600
                val-sig-skew-max: 3600
                harden-algo-downgrade: no

                target-fetch-policy: "3 3 3 2 1 1"
                prefetch-key: yes

                num-threads: 2
                msg-cache-slabs: 2
                rrset-cache-slabs: 2
                infra-cache-slabs: 2
                key-cache-slabs: 2
                key-cache-size: 128m
                rrset-cache-size: 128m
                msg-cache-size: 32m
                neg-cache-size: 4m
                jostle-timeout: 500
                delay-close: 1500

                interface: 127.0.0.1
                interface: 192.168.1.1
                interface: fd00:53:53::53
                so-reuseport: no
                access-control: 127.0.0.0/8 allow
                access-control: 192.168.1.0/24 allow
                edns-buffer-size: 8192
                max-udp-size: 8192

                do-not-query-localhost: yes
                do-ip4: yes
                do-ip6: yes
                do-udp: yes
                do-tcp: yes
                prefer-ip6: no
                outgoing-range: 16384
                num-queries-per-thread: 8192
                outgoing-port-permit: 1024-65535
                outgoing-port-avoid: 1-1023
                outgoing-num-tcp: 512
                incoming-num-tcp: 512
                so-rcvbuf: 12m
                so-sndbuf: 12m
                infra-cache-numhosts: 100000

                rrset-roundrobin: yes

        local-zone: "doubleclick.net." always_nxdomain
        local-zone: "facebook.com." always_nxdomain
        local-zone: "googleadservices.com." always_nxdomain
        local-zone: "use-application-dns.net." always_nxdomain

        # Use local mirrors of the root and arpa zones:

Viktor Dukhovni via Unbound-users writes:

> ...
> Dec 14 22:21:13 amnesiac pkg[60360]: unbound-1.13.0 installed
> Dec 26 09:14:52 amnesiac kernel: pid 60404 (unbound), jid 0, uid 59: exited on signal 11
> Dec 26 14:15:31 amnesiac unbound[48856]: [48856:0] warning: did not exit gracefully last time (60404)
>
> Sadly, no core file or any other log messages. Anyone else seen crashes
> with 1.13.0? Any known bugs that lead to segfaults?
>

There is an emergenct upgrady, see
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251821
for fetails.

  jaap