Package: unbound Version: 1.22.0-2+deb13u1 Severity: important Tags: upstream fixed-upstream Forwarded: https://github.com/NLnetLabs/unbound/issues/1247 Control: fixed -1 1.24.0-1
The upstream issue describes the problem well, but I'll describe how I came
about it.
I have long had this configuration snippet for Unbound:
forward-zone:
name: "."
forward-tls-upstream: yes
# Try these public resolvers first instead of going to the root
nameservers.
# If these don't work, doing all of the recursion ourselves is
tolerable.
forward-first: yes
forward-addr: 2001:67c:930::1#wikimedia-dns.org
forward-addr: 2a04:b900:0:100::37#getdnsapi.net
For my workstation, I use Unbound so it can privately reach a couple major
DNS-over-TLS resolvers and also perform DNSSEC validation. In particular DNSSEC
and some particular resource record types I use frequently can elicit large
answers, so a keep-alive TCP connection is well-suited for me anyhow. If, for
whatever reason, my preferred resolvers aren't readily available, falling back
to recursive resolution with the root nameservers directly is okay I guess, so
I set "forward-first: yes" to say that, if the "forwarders" aren't reachable,
do things the old-school way.
In syslog I found a bunch of log entries that looked like this:
[2553:0] error: ssl handshake failed: channel closed
unbound[2553]: [2553:0] notice: ssl handshake failed 2001:500:9f::42 port 53
That's a root name server! Root servers obviously don't support TLS, and
definitely not on port 53. It is a mistake that Unbound ever tried this.
Because the root name servers are a pillar of internet infrastructure, the
thought that many machines like mine could be part of an accidental DDoS of the
most busy servers on the internet is worrisome.
This bug was fixed upstream a while ago and it's already fixed in Forky and
unstable, but even attempting TLS to reach root nameservers is almost always
wrong and a waste of network resources across the whole path. Thus I think this
deserves to be fixed via trixie-updates/point release too.
These two commits ought to suffice together:
https://github.com/NLnetLabs/unbound/commit/ca153f465723c3cefdaa7d299962369bc95da7c0
https://github.com/NLnetLabs/unbound/commit/e2814fe1651825cd5c7f21032e27e4326111f8f4
-- System Information:
Debian Release: 13.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.73+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.152
ii init-system-helpers 1.69~deb13u1
ii libc6 2.41-12+deb13u2
ii libevent-2.1-7t64 2.1.12-stable-10+b1
ii libhiredis1.1.0 1.2.0-6+b3
ii libnghttp2-14 1.64.0-1.1
ii libprotobuf-c1 1.5.1-1
ii libpython3.13 3.13.5-2
ii libssl3t64 3.5.5-1~deb13u1
ii libsystemd0 257.9-1~deb13u1
Versions of packages unbound recommends:
ii dns-root-data 2025080400~deb13u1
Versions of packages unbound suggests:
ii apparmor 4.1.0-1
ii openssl 3.5.5-1~deb13u1
-- no debconf information
signature.asc
Description: This is a digitally signed message part
