Your message dated Fri, 03 Apr 2026 22:02:42 +0000
with message-id <[email protected]>
and subject line Bug#1129922: fixed in unbound 1.22.0-2+deb13u2
has caused the Debian Bug report #1129922,
regarding upstream bug fix (never try TLS to reach root nameservers, even with
a DoT forward zone) should be cherry-picked for Trixie
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129922: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129922
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unbound
Version: 1.22.0-2+deb13u1
Severity: important
Tags: upstream fixed-upstream
Forwarded: https://github.com/NLnetLabs/unbound/issues/1247
Control: fixed -1 1.24.0-1
The upstream issue describes the problem well, but I'll describe how I came
about it.
I have long had this configuration snippet for Unbound:
forward-zone:
name: "."
forward-tls-upstream: yes
# Try these public resolvers first instead of going to the root
nameservers.
# If these don't work, doing all of the recursion ourselves is
tolerable.
forward-first: yes
forward-addr: 2001:67c:930::1#wikimedia-dns.org
forward-addr: 2a04:b900:0:100::37#getdnsapi.net
For my workstation, I use Unbound so it can privately reach a couple major
DNS-over-TLS resolvers and also perform DNSSEC validation. In particular DNSSEC
and some particular resource record types I use frequently can elicit large
answers, so a keep-alive TCP connection is well-suited for me anyhow. If, for
whatever reason, my preferred resolvers aren't readily available, falling back
to recursive resolution with the root nameservers directly is okay I guess, so
I set "forward-first: yes" to say that, if the "forwarders" aren't reachable,
do things the old-school way.
In syslog I found a bunch of log entries that looked like this:
[2553:0] error: ssl handshake failed: channel closed
unbound[2553]: [2553:0] notice: ssl handshake failed 2001:500:9f::42 port 53
That's a root name server! Root servers obviously don't support TLS, and
definitely not on port 53. It is a mistake that Unbound ever tried this.
Because the root name servers are a pillar of internet infrastructure, the
thought that many machines like mine could be part of an accidental DDoS of the
most busy servers on the internet is worrisome.
This bug was fixed upstream a while ago and it's already fixed in Forky and
unstable, but even attempting TLS to reach root nameservers is almost always
wrong and a waste of network resources across the whole path. Thus I think this
deserves to be fixed via trixie-updates/point release too.
These two commits ought to suffice together:
https://github.com/NLnetLabs/unbound/commit/ca153f465723c3cefdaa7d299962369bc95da7c0
https://github.com/NLnetLabs/unbound/commit/e2814fe1651825cd5c7f21032e27e4326111f8f4
-- System Information:
Debian Release: 13.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.73+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.152
ii init-system-helpers 1.69~deb13u1
ii libc6 2.41-12+deb13u2
ii libevent-2.1-7t64 2.1.12-stable-10+b1
ii libhiredis1.1.0 1.2.0-6+b3
ii libnghttp2-14 1.64.0-1.1
ii libprotobuf-c1 1.5.1-1
ii libpython3.13 3.13.5-2
ii libssl3t64 3.5.5-1~deb13u1
ii libsystemd0 257.9-1~deb13u1
Versions of packages unbound recommends:
ii dns-root-data 2025080400~deb13u1
Versions of packages unbound suggests:
ii apparmor 4.1.0-1
ii openssl 3.5.5-1~deb13u1
-- no debconf information
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.22.0-2+deb13u2
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Mar 2026 16:38:29 +0300
Source: unbound
Architecture: source
Version: 1.22.0-2+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: unbound packagers <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 1129922
Changes:
unbound (1.22.0-2+deb13u2) trixie; urgency=medium
.
* two patches from upstream to avoid ssl handshake to root NSes:
1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch
1247-turn-off-fetch-policy-for-delegation-when.patch
(Closes: #1129922)
Checksums-Sha1:
bd57ab34167cb558d6936d9be9dbde3135112c87 3299 unbound_1.22.0-2+deb13u2.dsc
67c939f176da6587b791d97b670c3d94bb9e2048 43108
unbound_1.22.0-2+deb13u2.debian.tar.xz
137c951f2115ff1cbc78096150a9dc2d835dad95 6912
unbound_1.22.0-2+deb13u2_source.buildinfo
Checksums-Sha256:
854328f78d5667b04a24ebbd3d1f76b46f92fe8bb0f5e691eb9183143a8a59e4 3299
unbound_1.22.0-2+deb13u2.dsc
77ee40f81c2bbed075da3d402306ca5059c9d7e02609094f8cd315a83fae1081 43108
unbound_1.22.0-2+deb13u2.debian.tar.xz
c2ba80af1cac19ebd53fac1debaa35de204159a70b91109072a79cead0cdcc6a 6912
unbound_1.22.0-2+deb13u2_source.buildinfo
Files:
e73bb35375c05e69d679c5a5b377d595 3299 net optional unbound_1.22.0-2+deb13u2.dsc
64e0fed8aae720edb86e06f859b6c63a 43108 net optional
unbound_1.22.0-2+deb13u2.debian.tar.xz
2d627507a9a6b5e7b3791f5b9d5ff5e2 6912 net optional
unbound_1.22.0-2+deb13u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpyBYpCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmdKsIeD3b2Vo9zn7EpVrz++oZazkts4nG58QjIa+faZ
aBYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AACTuxAAouj8AWzj/IwZ+NUfNBpD5uR8
TU7F/sOZpL/kk5vU0HzFbxlukPM4k9XOU9oCbULc8SJckMOh9jEYIl+5LIRkSTOI
UjXsJsixhVHXnU+cOFZfLyS478UFER7a7nYLRLg1w7tWJhap2jbqXGxyP7Vf13Ay
5BbxiF0CdK6IE17tJg9wyvepFUpi0oWpf7DTA7ffgoPyQrCSGxc1i0Sbh0y6XpLY
6ivhFp5/GrkltaBeFRQ0QoyjuvUlABGxjMs2X7X4xAB5u4YiE881wJbBiDYn9Nn0
Ty/Wv0OcuAZYjFS9VVIxIjxNGMZPYXGF82SBv6mnyEFHBzWUkMn7dqivKf97/+OW
7tkHKHBzcM+U3+bzP1VlUn+1DeWBAGImKibZ1UoqMM/iztR1sRQkitTUkYISvfyz
NXM3bBstLjr+cVQcZYOfHXxQZcIW/i30DoHmxCdM8pWESUkk2Ty1QGFk/zCasiLC
lWEY8rJzRn1PgSfaTCaZEjgG3yiS0oK1I+BJOBLSU83fkCNKTYVQ7kcexBKHGZeO
/yRcgBGUEehbIVZkp9T4WbgHWHRqxzIOqbEyM66xSYwF0lBO5VQ4xsQKteMKfPSB
a+DlcyeOgRd/3lY2uQrsoxIzrQYakvAxCtE2yrIjOY6AO2OSEu7MHZMiyZzxDSj3
qtbxAzjrBhG33mrhNOs=
=SKhC
-----END PGP SIGNATURE-----
pgpRXexArINhJ.pgp
Description: PGP signature
--- End Message ---
