Version in base suite: 1.22.0-2+deb13u1 Base version: unbound_1.22.0-2+deb13u1 Target version: unbound_1.22.0-2+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/u/unbound/unbound_1.22.0-2+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/u/unbound/unbound_1.22.0-2+deb13u2.dsc changelog | 9 + patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch | 26 ++++ patches/1247-turn-off-fetch-policy-for-delegation-when.patch | 55 ++++++++++ patches/series | 2 4 files changed, 92 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpekdbx9ar/unbound_1.22.0-2+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpekdbx9ar/unbound_1.22.0-2+deb13u2.dsc: no acceptable signature found diff -Nru unbound-1.22.0/debian/changelog unbound-1.22.0/debian/changelog --- unbound-1.22.0/debian/changelog 2025-11-26 20:12:47.000000000 +0000 +++ unbound-1.22.0/debian/changelog 2026-03-15 13:38:29.000000000 +0000 @@ -1,3 +1,12 @@ +unbound (1.22.0-2+deb13u2) trixie; urgency=medium + + * two patches from upstream to avoid ssl handshake to root NSes: + 1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch + 1247-turn-off-fetch-policy-for-delegation-when.patch + (Closes: #1129922) + + -- Michael Tokarev Sun, 15 Mar 2026 16:38:29 +0300 + unbound (1.22.0-2+deb13u1) trixie-security; urgency=high [ Guilhem Moulin ] diff -Nru unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch --- unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch 1970-01-01 00:00:00.000000000 +0000 +++ unbound-1.22.0/debian/patches/1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch 2026-03-15 13:38:29.000000000 +0000 @@ -0,0 +1,26 @@ +From ca153f465723c3cefdaa7d299962369bc95da7c0 Mon Sep 17 00:00:00 2001 +From: Yorgos Thessalonikefs +Date: Wed, 25 Jun 2025 13:56:50 +0200 +Subject: Fix #1247: forward-first: ssl handshake failed on root nameservers +Comment: doc/Changelog changes skipped +Origin: upstream, https://github.com/NLnetLabs/unbound/issues/1247 +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/1129922 + +diff --git a/iterator/iterator.c b/iterator/iterator.c +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2180,6 +2180,10 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, + a->lame, a->tls_auth_name, -1, NULL); + } + lock_rw_unlock(&qstate->env->hints->lock); ++ /* copy over some configuration since we update the ++ * delegation point in place */ ++ iq->dp->tcp_upstream = dp->tcp_upstream; ++ iq->dp->ssl_upstream = dp->ssl_upstream; + } + iq->dp->has_parent_side_NS = 1; + } else if(!iq->dp->has_parent_side_NS) { +-- +2.47.3 + diff -Nru unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch --- unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch 1970-01-01 00:00:00.000000000 +0000 +++ unbound-1.22.0/debian/patches/1247-turn-off-fetch-policy-for-delegation-when.patch 2026-03-15 13:38:29.000000000 +0000 @@ -0,0 +1,55 @@ +From e2814fe1651825cd5c7f21032e27e4326111f8f4 Mon Sep 17 00:00:00 2001 +From: Yorgos Thessalonikefs +Date: Wed, 25 Jun 2025 13:59:17 +0200 +Subject: For #1247, turn off fetch-policy for delegation when + looking into parent side name servers that may not update the addresses and + hit NXNS limits +Comment: doc/Changelog changes skipped +Origin: upstream, https://github.com/NLnetLabs/unbound/issues/1247 +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/1129922 + +diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h +--- a/iterator/iter_delegpt.h ++++ b/iterator/iter_delegpt.h +@@ -79,6 +79,16 @@ struct delegpt { + * Also true if the delegationpoint was created from a delegation + * message and thus contains the parent-side-info already. */ + uint8_t has_parent_side_NS; ++ /** if true, the delegation point has reached last resort processing ++ * and the parent side information has been possibly added to the ++ * delegation point. ++ * For now this singals that further target lookups will ignore ++ * the configured target-fetch-policy and only resolve on ++ * demand to try and avoid triggering limits at this stage (.i.e, it ++ * is very likely that the A/AAAA queries for the newly added name ++ * servers will not yield new IP addresses and trigger NXNS ++ * countermeasures. */ ++ uint8_t fallback_to_parent_side_NS; + /** for assertions on type of delegpt */ + uint8_t dp_type_mlc; + /** use SSL for upstream query */ +diff --git a/iterator/iterator.c b/iterator/iterator.c +--- a/iterator/iterator.c ++++ b/iterator/iterator.c +@@ -2152,6 +2152,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, + verbose(VERB_QUERY, "configured stub or forward servers failed -- returning SERVFAIL"); + return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); + } ++ iq->dp->fallback_to_parent_side_NS = 1; + if(qstate->env->cfg->harden_unverified_glue) { + if(!cache_fill_missing(qstate->env, iq->qchase.qclass, + qstate->region, iq->dp, PACKED_RRSET_UNVERIFIED_GLUE)) +@@ -2772,7 +2773,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + } + /* if the mesh query list is full, then do not waste cpu and sockets to + * fetch promiscuous targets. They can be looked up when needed. */ +- if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) { ++ if(!iq->dp->fallback_to_parent_side_NS && can_do_promisc ++ && !mesh_jostle_exceeded(qstate->env->mesh)) { + tf_policy = ie->target_fetch_policy[iq->depth]; + } + +-- +2.47.3 + diff -Nru unbound-1.22.0/debian/patches/series unbound-1.22.0/debian/patches/series --- unbound-1.22.0/debian/patches/series 2025-11-26 20:12:47.000000000 +0000 +++ unbound-1.22.0/debian/patches/series 2026-03-15 13:38:29.000000000 +0000 @@ -2,3 +2,5 @@ Fix-RebirthDay-Attack-CVE-2025-5994.patch CVE-2025-11411.patch CVE-2025-11411-additional-nodata.patch +1247-forward-first-ssl-handshake-failed-on-root-nameservers.patch +1247-turn-off-fetch-policy-for-delegation-when.patch