Unbound 1.19.3rc1 pre-release

Wouter · March 7, 2024, 11:08am

Hi,

Unbound 1.19.3rc1 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc1.tar.gz
sha256 9445dbb3a79c8155c6d25b72e6a0f85e1dc3b63f794e6b1f7a02d14588d905be
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc1.tar.gz

This is the maintainer's pre-release of Unbound 1.19.3rc1.

This release has a number of bug fixes. The CNAME synthesized for a
DNAME record uses the original TTL, of the DNAME record, and that means
it can be cached for the TTL, instead of 0.

There is a fix that when a message was stored in cache, but one of the
RRsets was not updated due to cache policy, it now restricts the message
TTL if the cache version of the RRset has a shorter TTL. It avoids a
bug where the message is not expired, but its contents is expired.

For dnstap, it logs type DoH and DoT correctly, if that is used for
the message.

The b.root-servers.net address is updated in the default root hints.

When performing retries for failed sends, a retry at a smaller UDP size
is now not performed when that attempt is not actually smaller, and at
defaults, since the flag day changes, it is the same size. This makes
it skip the step, it is useless because there is no reduction in size.

Clients with a valid DNS Cookie will bypass the ratelimit, if one is
set. The value from ip-ratelimit-cookie is used for these queries.

Furthermore there is a fix to make correct EDE Prohibited answers for
access control denials, and a fix for EDNS client subnet scope zero
answers.

Features:
- Merge PR #973: Use the origin (DNAME) TTL for synthesized CNAMEs as
per RFC 6672.

Bug Fixes:
- Fix unit test parse of origin syntax.
- Use 127.0.0.1 explicitly in tests to avoid delays and errors on
   newer systems.
- Fix #964: config.h.in~ backup file in release tar balls.
- Merge #968: Replace the obsolescent fgrep with grep -F in tests.
- Merge #971: fix 'WARNING: Message has 41 extra bytes at end'.
- Fix #969: [FR] distinguish Do53, DoT and DoH in the logs.
- Fix dnstap that assertion failed on logging other than UDP and TCP
   traffic. It lists it as TCP traffic.
- Fix to sync the tests script file common.sh.
- iana portlist update.
- Updated IPv4 and IPv6 address for b.root-servers.net in root hints.
- Update test script file common.sh.
- Fix tests to use new common.sh functions, wait_logfile and
   kill_from_pidfile.
- Fix #974: doc: default number of outgoing ports without libevent.
- Merge #975: Fixed some syntax errors in rpl files.
- Fix root_zonemd unit test, it checks that the root ZONEMD verifies,
   now that the root has a valid ZONEMD.
- Update example.conf with cookie options.
- Merge #980: DoH: reject non-h2 early. To fix #979: Improve errors
   for non-HTTP/2 DoH clients.
- Merge #985: Add DoH and DoT to dnstap message.
- Fix #983: Sha1 runtime insecure change was incomplete.
- Remove unneeded newlines and improve indentation in remote control
   code.
- Merge #987: skip edns frag retry if advertised udp payload size is
   not smaller.
- Fix unit test for #987 change in udp1xxx retry packet send.
- Merge #988: Fix NLnetLabs#981: dump_cache truncates large records.
- Fix to link with -lcrypt32 for OpenSSL 3.2.0 on Windows.
- Fix to link with libssp for libcrypto and getaddrinfo check for
   only header. Also update crosscompile to remove ssp for 32bit.
- Merge #993: Update b.root-servers.net also in example config file.
- Update workflow for ports to use newer openssl on windows compile.
- Fix warning for windres on resource files due to redefinition.
- Fix for #997: Print details for SSL certificate failure.
- Update error printout for duplicate trust anchors to include the
   trust anchor name (relates to #920).
- Update message TTL when using cached RRSETs. It could result in
   non-expired messages with expired RRSETs (non-usable messages by
   Unbound).
- Merge #999: Search for protobuf-c with pkg-config.
- Fix #1006: Can't find protobuf-c package since #999.
- Fix documentation for access-control in the unbound.conf man page.
- Merge #1010: Mention REFUSED has the TC bit set with unmatched
   allow_cookie acl in the manpage. It also fixes the code to match the
   documentation about clients with a valid cookie that bypass the
   ratelimit regardless of the allow_cookie acl.
- Document the suspend argument for process_ds_response().
- Move github workflows to use checkoutv4.
- Fix edns subnet replies for scope zero answers to not get stored
   in the global cache, and in cachedb, when the upstream replies
   without an EDNS record.
- Fix for #1022: Fix ede prohibited in access control refused answers.

Best regards, Wouter

RayG · March 7, 2024, 2:30pm

Just trying out 1.19.3rc1 and got this error when I run my PowerShell configuration script.

Wouter · March 8, 2024, 8:21am

Hi RayG,

That seems to be because the certificate is too small. The OpenSSL version for 1.19.3 is moved to 3.2.1, it was 1.1.x for 1.19.2, there are bugfixes in the 1.19.3 release to make that possible, to move to OpenSSL 3.x. This more recent OpenSSL version also then requires larger certificates.

It is possible to recreate the certificates, by moving them away and then running unbound-control-setup again. I updated that so the same larger length that is also used for eg. Linux is applied. That should work, a fixed version of that unbound-control-setup.cmd script is here. It can be downloaded and then used.
https://github.com/NLnetLabs/unbound/blob/master/winrc/unbound-control-setup.cmd

The fix commit is this one.
https://github.com/NLnetLabs/unbound/commit/939baebfe720e06f1c50e6e770024e138a84ff36

It may also be possible to use the option `control-use-cert: no`. Make sure that the control interface is the default, or 127.0.0.1 for safety, and then it does not use a certificate at all, and thus the certificate cannot be too small.

For the unbound-control-setup script "openssl.exe" is needed, it creates the certificates. For people that compile from source code, any openssl version can be used.

Best regards, Wouter

RayG · March 8, 2024, 2:48pm

Hi Wouter,

OK certificates re-created:

These were the old ones:
18/11/2017 17:25 1,298 unbound_control.key
18/11/2017 17:25 816 unbound_control.pem
18/11/2017 17:25 1,298 unbound_server.key
18/11/2017 17:25 804 unbound_server.pem

These are the new ones:
08/03/2024 13:49 2,524 unbound_control.key
08/03/2024 13:49 1,468 unbound_control.pem
08/03/2024 13:49 2,524 unbound_server.key
08/03/2024 13:49 1,410 unbound_server.pem

But now I get this message:
C:\Program Files\Unbound>unbound-control reload
error: could not SSL_read
D0540000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:865:SSL alert number 48

And in the log file I see:
08/03/2024 14:16:40 C:\Program Files\Unbound\unbound.exe[5548:0] notice: failed connection from 127.0.0.1 port 55344
08/03/2024 14:16:40 C:\Program Files\Unbound\unbound.exe[5548:0] error: remote control failed ssl crypto error:0A000086:SSL routines::certificate verify failed

I know that both the Administrator account and the SYSTEM account can see open and read the key & pem files.

Does this help:
https://stackoverflow.com/questions/53104296/unknown-ca-with-self-generated-ca-certificates-and-client-server

RayG

Wouter · March 8, 2024, 4:23pm

Hi RayG,

Yes it is the CA constraint from the link that was referenced. This is present in unbound-control-setup.sh but was not in unbound-control-setup.cmd. This is fixed with the new version having very similar input config and options as the .sh setup has.

The link to the file in the repo hopefully works.

The fix commit is this one:
https://github.com/NLnetLabs/unbound/commit/7b62767e16145415cb6a4e23f93a8138f54a56f0

Best regards, Wouter

Wouter · March 11, 2024, 10:49am

Hi,

Unbound 1.19.3rc2 pre-release is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc2.tar.gz
sha256 d5519cdd078d29c2b16bbebf7361374e356b79e8632e6e2c9f1dbe2532518eec
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3rc2.tar.gz.asc

This is RC2 of the 1.19.3rc2 pre-release of Unbound.

The changes in RC2 compared to RC1 are an update to the windows unbound-control-setup.cmd, so that it creates valid self-signed certificates for use with unbound-control. And a fix for the synthesized CNAME ttl value.

Bug Fixes:
- Fix unbound-control-setup.cmd to use 3072 bits so that certificates
are long enough for newer OpenSSL versions.
- Fix TTL of synthesized CNAME when a DNAME is used from cache.
- Fix unbound-control-setup.cmd to have CA v3 basicConstraints,
like unbound-control-setup.sh has.

Best regards, Wouter

A_Schulze · March 11, 2024, 6:16pm

forgot to mention: 1.18.3rc1 is running here since then without noise or trouble ...

Andreas

RayG · March 12, 2024, 2:12pm

Hi Wouter,

I tried out 1.19.3rc2 and I still see the same issue:

unbound-checkconf: no errors in C:\Program Files\Unbound\service.conf
error: could not SSL_read
185B0000:error:0A000418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:865:SSL alert number 48

Failed to reload the server please restart it manually:
12/03/2024 14:11:35 C:\Program Files\Unbound\unbound.exe[21412:0] notice: init module 0: respip
12/03/2024 14:11:35 C:\Program Files\Unbound\unbound.exe[21412:0] notice: init module 1: validator
12/03/2024 14:11:35 C:\Program Files\Unbound\unbound.exe[21412:0] notice: init module 2: iterator
12/03/2024 14:11:35 C:\Program Files\Unbound\unbound.exe[21412:0] info: start of service (unbound 1.19.3rc2).

RayG

Wouter · March 12, 2024, 3:24pm

Hi RayG,

How very annoying that it still fails. What version of openssl.exe do you use? `openssl version` prints out the version number. The unbound-control-setup.cmd script uses the openssl.exe version that is available.

Another question, if this is the rc2 unbound server started with the same .pem and .key files from last time then this is the expected output, that it fails. Did you recreate the key and certificate files using the newer unbound-control-setup.cmd script? By deleting or moving away the other files and then running the script again, that creates the certificates again, and uses the new CA flag options added in the previous fix.

Best regards, Wouter

Tuomo_Soini · March 12, 2024, 5:07pm

Seem to work fine.

A_Schulze · March 12, 2024, 9:17pm

well, just noticed strange logging.

- I've enabled "log-destaddr: yes"
- unbound listen on a specific IPv4 and IPv6 address
- 'kdig -4 . @ipv4 SOA' produce expected logging like this:

reply: 192.0.2.1 . SOA IN NOERROR 0.000000 1 92 on udp 192.0.2.53 53

- 'kdig -6 . @ipv6 SOA' produce this:

reply: 2001:db8::1 . SOA IN NOERROR 0.000000 1 92 on udp 53

or

reply: 2001:db8::1 . SOA IN NOERROR 0.000000 1 92 on udp . 53

or even

reply: 2001:db8::1 . SOA IN NOERROR 0.000000 1 92 on udp �7
< 53

looks like there will be an rc3?

Andreas

Wouter · March 13, 2024, 9:47am

Hi Andreas,

These things work fine when I try to dig at IPv4 or IPv6 addresses. Also valgrind notices no problems with the printout code. What makes it go wrong for you? What are the interface: options?

It works for me with interface: IPs, localhost, interface-automatic, by interface name, wildcard IP. I wonder what causes the issue.

Perhaps this is more of a bug fix for a future release. The rc1 sequence is mostly meant for bugs that hamper deployment, package management trouble. But it is good to fix, to have a fix for it.

Best regards, Wouter

A_Schulze · March 13, 2024, 11:36am

Hello Wouter,

I'll prepare a more simplified setup an try to make it reproducable. But this may take some time.
Maybe there is an glitch on my side (unrelated to unbound) an I miss interpreted my logs...

Andreas

Wouter · March 14, 2024, 9:24am

Hi,

Unbound 1.19.3 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3.tar.gz
sha256 3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3.tar.gz.asc