Unbound 1.25.0 released

We are pleased to announce the release of version 1.25.0 of the Unbound recursive DNS resolver.

This release has some features and a number of bug fixes.

The release is signed with the OpenPGP software signing key that is in use since Jan 1st 2026:

User ID: NLnet Labs releases signing key G2 <releases@nlnetlabs.nl>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from https://nlnetlabs.nl/signing-keys .

For cached records, the last second when they reach a lifetime of 0 is treated differently, the 0 value is expired. The client does not see a 0 TTL value that was not zero originally.

For the mesh reply count, there are added statistics counters. The num.queries.replyaddr_limit value notes the number of queries removed due to replyaddr limits, and requestlist.current.replies tracks the current amount.

With log-thread-id the Linux thread id can be logged, for easier debugging. The contrib/gost12.patch adds ECC-GOST12 support, it was contributed by Igor V. Ruzanov.

For DNAME TTL 0 items, that are received as 0 TTL items, their synthesized responses can be served within a 1 second grace period. This reduces recursion when authoritative servers set TTL 0 on DNAMEs.

The reload and fast_reload commands can change the TLS certificates if the files are changed. The tls-protocols option allows to set which tls protolocs are available, with "TLSv1.2 TLSv1.3" enabled by default.

If pthread_setname or similar is available, it is used to give descriptive names to the threads of unbound, when using pthreads.

There is a new option, iter-scrub-rrsig: 8, that limits the number of RRSIGs for RRsets. This protects against overly large numbers of RRSIGs. The default of 8 is the same as the amount of signatures that the validator verifies. Thanks to Yuxiao Wu, Tsinghua University for the report.

There is a fix for a local privilege escalation on Windows. It fixes the OpenSSL init calls, to not load openssl.cnf for Windows. Thanks to Hao Huang and CrisprXiang with Fudan University for the report.

There is a fix to elide SVCB and HTTPS records that match the private-address filter. It fixes a DNS Rebinding Bypass via SVCB/HTTPS Records in Unbound. Thanks to Kunta Chu, School of Software, Tsinghua University, Taofei Guo, Peking University, and Jianjun Chen, Institute for Network Sciences and Cyberspace, Tsinghua University for the report.

There is a fix to to ignore out-of-zone DNAME records for CNAME synthesis. Thanks to Yuxiao Wu, Yiyi Wang, Zhang Chao, Baojun Liu, and Haixin Duan from Tsinghua University.

There is a fix to check for invalid http content length and chunk size, and to check the RR rdata field lengths when decompressing and inserting RRs from an authority zone transfer. This stops large memory use and heap buffer-overflow read errors. Thanks to Haruto Kimura (Stella) for the report.

In addition, there is a fix to improve RFC7766 compliance for responses over TCP. When the client sends EOF over TCP, it stops pending replies and closes immediately. Thanks to Yuxiao Wu, Tsinghua University for the report.

There is a fix for the Jiggle Attack. The server is fixed to answer with errors for error cases, and does not stay silent. In addition, the error replies do not contain parts of the incoming query. This is more conformant, stops reflection and stops it as a covert channel. Thanks to Yuqi Qiu and Xiang Li, Nankai University (AOSP Lab) for the report. In addition, thanks to Qifan Zhang, Palo Alto Networks, for noting the fingerprinting possibility, that is also fixed with this.

There is a fix for EDNS extended RCODE reflection. This fixes that the server does not echo extended rcode values after class chaos queries. Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for iterator RCODE handling of YXDOMAIN. This fixes that the server only accepts YXDOMAIN answers that contain a DNAME record. This stops bad answers, and checks that the authoritative server gives correct replies. Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for a missing bounds check for decompressing dnames for downloaded authority zones. This fixes that the server could end up with malformed zone content after receiving truncated packet contents from an AXFR. In addition, the domain names in the SOA rdata are checked before the authority code picks up the zone serial. Thanks to Halil Oktay for the report.

There is a fix for upstream TLS connections, so that they are not reused as TLS connections for a different name, at the same IP. This checks that the tls name is correct when reusing the upstream connections. Thanks to TaoFei Guo from Peking University and JianJun Chen from Tsinghua University for the report.

There is a fix that signatures are not allowed with revoked dnskeys. This adheres to the processing rules from RFC5011. Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for checking that a DNAME with an unsigned CNAME has a correct match. This stops that for certain zone configurations an unchecked unsigned CNAME could get secure status. Thanks to Qifan Zhang, Palo Alto Networks for the report.

There is a fix for the handling of wildcard CNAMEs in the chain of trust. An improper wildcard in the chain of trust would send the retries to the wrong upstream. Also it could label the step in the chain of trust as secure, when it was not. Thanks to Qifan Zhang, Palo Alto Networks for the report.

Compared to the rc1, the release contains a fix for a buffer overrun in the DoQ code.

For a full list of changes, binary and source packages, see the download page.