Your message dated Sat, 16 May 2026 10:23:18 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1130863,
regarding trixie-pu: package unbound/1.22.0-2+deb13u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130863
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:unbound
User: [email protected]
Usertags: pu
[ Reason ]
There's a single bugfix in this release (compared with the version
currently in trixie), #1129922. In short, unbound in trixie, with
certain configuration, will hammer root nameservers needlessly with
SSL/TLS handshakes.
The fix is simple enough, and I agree it should be back-ported to
current debian stable at least.
[ Tests ]
In my testing, the fix (back-ported trixie version of unbound) seem to
work correctly and does not do any visible harm.
[ Risks ]
The fix (2 patches from upstream) is small, focused and understandable,
I don't expect any breakage from it.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Additional Info ]
https://github.com/NLnetLabs/unbound/issues/1247
Thanks,
/mjt
diff -Nru unbound-1.22.0/debian/changelog unbound-1.22.0/debian/changelog
--- unbound-1.22.0/debian/changelog 2025-11-26 23:12:47.000000000 +0300
+++ unbound-1.22.0/debian/changelog 2026-03-15 16:38:29.000000000 +0300
@@ -1,3 +1,12 @@
+unbound (1.22.0-2+deb13u2) trixie; urgency=medium
+
+ * two patches from upstream to avoid ssl handshake to root NSes:
+ 1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch
+ 1247-turn-off-fetch-policy-for-delegation-when.patch
+ (Closes: #1129922)
+
+ -- Michael Tokarev <[email protected]> Sun, 15 Mar 2026 16:38:29 +0300
+
unbound (1.22.0-2+deb13u1) trixie-security; urgency=high
[ Guilhem Moulin ]
diff -Nru
unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch
unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch
---
unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch
1970-01-01 03:00:00.000000000 +0300
+++
unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch
2026-03-15 16:22:08.000000000 +0300
@@ -0,0 +1,26 @@
+From ca153f465723c3cefdaa7d299962369bc95da7c0 Mon Sep 17 00:00:00 2001
+From: Yorgos Thessalonikefs <[email protected]>
+Date: Wed, 25 Jun 2025 13:56:50 +0200
+Subject: Fix #1247: forward-first: ssl handshake failed on root nameservers
+Comment: doc/Changelog changes skipped
+Origin: upstream, https://github.com/NLnetLabs/unbound/issues/1247
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/1129922
+
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2180,6 +2180,10 @@ processLastResort(struct module_qstate* qstate, struct
iter_qstate* iq,
+ a->lame, a->tls_auth_name, -1, NULL);
+ }
+ lock_rw_unlock(&qstate->env->hints->lock);
++ /* copy over some configuration since we update the
++ * delegation point in place */
++ iq->dp->tcp_upstream = dp->tcp_upstream;
++ iq->dp->ssl_upstream = dp->ssl_upstream;
+ }
+ iq->dp->has_parent_side_NS = 1;
+ } else if(!iq->dp->has_parent_side_NS) {
+--
+2.47.3
+
diff -Nru
unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch
unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch
---
unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch
1970-01-01 03:00:00.000000000 +0300
+++
unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch
2026-03-15 16:13:02.000000000 +0300
@@ -0,0 +1,55 @@
+From e2814fe1651825cd5c7f21032e27e4326111f8f4 Mon Sep 17 00:00:00 2001
+From: Yorgos Thessalonikefs <[email protected]>
+Date: Wed, 25 Jun 2025 13:59:17 +0200
+Subject: For #1247, turn off fetch-policy for delegation when
+ looking into parent side name servers that may not update the addresses and
+ hit NXNS limits
+Comment: doc/Changelog changes skipped
+Origin: upstream, https://github.com/NLnetLabs/unbound/issues/1247
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/1129922
+
+diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
+--- a/iterator/iter_delegpt.h
++++ b/iterator/iter_delegpt.h
+@@ -79,6 +79,16 @@ struct delegpt {
+ * Also true if the delegationpoint was created from a delegation
+ * message and thus contains the parent-side-info already. */
+ uint8_t has_parent_side_NS;
++ /** if true, the delegation point has reached last resort processing
++ * and the parent side information has been possibly added to the
++ * delegation point.
++ * For now this singals that further target lookups will ignore
++ * the configured target-fetch-policy and only resolve on
++ * demand to try and avoid triggering limits at this stage (.i.e, it
++ * is very likely that the A/AAAA queries for the newly added name
++ * servers will not yield new IP addresses and trigger NXNS
++ * countermeasures. */
++ uint8_t fallback_to_parent_side_NS;
+ /** for assertions on type of delegpt */
+ uint8_t dp_type_mlc;
+ /** use SSL for upstream query */
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2152,6 +2152,7 @@ processLastResort(struct module_qstate* qstate, struct
iter_qstate* iq,
+ verbose(VERB_QUERY, "configured stub or forward servers failed
-- returning SERVFAIL");
+ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
++ iq->dp->fallback_to_parent_side_NS = 1;
+ if(qstate->env->cfg->harden_unverified_glue) {
+ if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
+ qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE))
+@@ -2772,7 +2773,8 @@ processQueryTargets(struct module_qstate* qstate, struct
iter_qstate* iq,
+ }
+ /* if the mesh query list is full, then do not waste cpu and sockets to
+ * fetch promiscuous targets. They can be looked up when needed. */
+- if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) {
++ if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc
++ && !mesh_jostle_exceeded(qstate->env->mesh)) {
+ tf_policy = ie->target_fetch_policy[iq->depth];
+ }
+
+--
+2.47.3
+
diff -Nru unbound-1.22.0/debian/patches/series
unbound-1.22.0/debian/patches/series
--- unbound-1.22.0/debian/patches/series 2025-11-26 23:12:47.000000000
+0300
+++ unbound-1.22.0/debian/patches/series 2026-03-15 16:08:45.000000000
+0300
@@ -2,3 +2,5 @@
Fix-RebirthDay-Attack-CVE-2025-5994.patch
CVE-2025-11411.patch
CVE-2025-11411-additional-nodata.patch
+1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch
+1247-turn-off-fetch-policy-for-delegation-when.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.5
This update has been released as part of Debian 13.5.
--- End Message ---
