Update to 1.24.2

- Fixes CVE-2025-11411

Features from 1.24:

- Increase default to `num-queries-per-thread: 2048`
- num.valops in extended statistics
- unbound-control cache_lookup <domains> support
- zone status for auth-zones

Features from 1.23:

- Increase the default of max-global-quota to 200 from 128
- The default value of serve-expired-client-timeout is set to 1800
- Support for RESINFO RRType 261 (RFC9606).
- Add resolver.arpa and service.arpa to the default locally served zones.
- Fast Reload. The unbound-control fast_reload is added.
- DNS Error Reporting (RFC 9567).

Features from 1.22:
- Add iter-scrub-ns, iter-scrub-cname and max-global-quota configuration options.
- Merge patch to fix for glue that is outside of zone, with `harden-unverified-glue`
- log timestamps in ISO8601 format with timezone
- DNS over QUIC. This adds `quic-port: 853` and `quic-size: 8m`.
  Requires ngtcp2, not yet in RHEL.

Features from 1.21:
- Clear both in-memory and cachedb module cache with `unbound-control flush*` commands.
- Add dnstap-sample-rate that logs only 1/N messages.
- Add root key 38696 from 2024 for DNSSEC validation.
- Cookie secret file. Adds `cookie-secret-file option.

And a lot of bug fixes.

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2

Resolves: RHEL-132717

.gitignore

@@ -72,3 +72,5 @@ unbound-1.4.5.tar.gz
 /unbound-1.16.0.tar.gz
 /unbound-1.16.2.tar.gz
 /unbound-1.16.2.tar.gz.asc
+/unbound-1.*.tar.gz
+/unbound-1.*.tar.gz.asc

sources

@@ -1,2 +1,2 @@
-SHA512 (unbound-1.16.2.tar.gz) = 0ea65ea63265be677441bd2a28df12098ec5e86c3372240c2874f9bd13752b8b818da81ae6076cf02cbeba3d36e397698a4c2b50570be1a6a8e47f57a0251572
-SHA512 (unbound-1.16.2.tar.gz.asc) = bc5241c86f90be76886209c81d6f1c025d4774fa00d114180b99d43999f31b1b4c8d123717b8a79a60bc3acfcbe9f46678b80b3d961431c7bfd05ff48c69ef4f
+SHA512 (unbound-1.24.2.tar.gz) = 655d63ec5305323e84d82691425d74d98c332d0028517bd729d191e5f968ce9481b49ec7447d4c4906dce7997a998a115db36e911a59d2d877da5840c2080261
+SHA512 (unbound-1.24.2.tar.gz.asc) = 66a3e569a606cc3ed7dac9b411fba347da150728427619bdbf12ac57a5d7db1fc17963b1ba052a95d6c6fed67a6f0c1b5920318f6cd34e5091750626dd63fb21

unbound-1.16-CVE-2022-3204.patch

@@ -1,218 +0,0 @@
-From 7af485f0fc9926425681ba0280ab6c2c8dd04530 Mon Sep 17 00:00:00 2001
-From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
-Date: Wed, 21 Sep 2022 11:10:38 +0200
-Subject: [PATCH] - Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
-
----
- unbound-1.16.2/iterator/iter_delegpt.c |  3 +++
- unbound-1.16.2/iterator/iter_delegpt.h |  2 ++
- unbound-1.16.2/iterator/iter_utils.c   |  3 +++
- unbound-1.16.2/iterator/iter_utils.h   |  9 +++++++
- unbound-1.16.2/iterator/iterator.c     | 36 +++++++++++++++++++++++++-
- unbound-1.16.2/services/cache/dns.c    |  3 +++
- unbound-1.16.2/services/mesh.c         |  7 +++++
- unbound-1.16.2/services/mesh.h         | 11 ++++++++
- 8 files changed, 73 insertions(+), 1 deletion(-)
-
-diff --git a/unbound-1.16.2/iterator/iter_delegpt.c b/unbound-1.16.2/iterator/iter_delegpt.c
-index 4bffa1b..fd07aaa 100644
---- a/unbound-1.16.2/iterator/iter_delegpt.c
-+++ b/unbound-1.16.2/iterator/iter_delegpt.c
-@@ -78,6 +78,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
- 		if(!delegpt_add_ns(copy, region, ns->name, ns->lame,
- 			ns->tls_auth_name, ns->port))
- 			return NULL;
-+		copy->nslist->cache_lookup_count = ns->cache_lookup_count;
- 		copy->nslist->resolved = ns->resolved;
- 		copy->nslist->got4 = ns->got4;
- 		copy->nslist->got6 = ns->got6;
-@@ -121,6 +122,7 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
- 	ns->namelen = len;
- 	dp->nslist = ns;
- 	ns->name = regional_alloc_init(region, name, ns->namelen);
-+	ns->cache_lookup_count = 0;
- 	ns->resolved = 0;
- 	ns->got4 = 0;
- 	ns->got6 = 0;
-@@ -620,6 +622,7 @@ int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame,
- 	}
- 	ns->next = dp->nslist;
- 	dp->nslist = ns;
-+	ns->cache_lookup_count = 0;
- 	ns->resolved = 0;
- 	ns->got4 = 0;
- 	ns->got6 = 0;
-diff --git a/unbound-1.16.2/iterator/iter_delegpt.h b/unbound-1.16.2/iterator/iter_delegpt.h
-index 62c8edc..586597a 100644
---- a/unbound-1.16.2/iterator/iter_delegpt.h
-+++ b/unbound-1.16.2/iterator/iter_delegpt.h
-@@ -101,6 +101,8 @@ struct delegpt_ns {
- 	uint8_t* name;
- 	/** length of name */
- 	size_t namelen;
-+	/** number of cache lookups for the name */
-+	int cache_lookup_count;
- 	/** 
- 	 * If the name has been resolved. false if not queried for yet.
- 	 * true if the A, AAAA queries have been generated.
-diff --git a/unbound-1.16.2/iterator/iter_utils.c b/unbound-1.16.2/iterator/iter_utils.c
-index 3e13e59..56b184a 100644
---- a/unbound-1.16.2/iterator/iter_utils.c
-+++ b/unbound-1.16.2/iterator/iter_utils.c
-@@ -1209,6 +1209,9 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
- 	struct delegpt_ns* ns;
- 	size_t num = delegpt_count_targets(dp);
- 	for(ns = dp->nslist; ns; ns = ns->next) {
-+		if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE)
-+			continue;
-+		ns->cache_lookup_count++;
- 		/* get cached parentside A */
- 		akey = rrset_cache_lookup(env->rrset_cache, ns->name,
- 			ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass,
-diff --git a/unbound-1.16.2/iterator/iter_utils.h b/unbound-1.16.2/iterator/iter_utils.h
-index 8583fde..850be96 100644
---- a/unbound-1.16.2/iterator/iter_utils.h
-+++ b/unbound-1.16.2/iterator/iter_utils.h
-@@ -62,6 +62,15 @@ struct ub_packed_rrset_key;
- struct module_stack;
- struct outside_network;
- 
-+/* max number of lookups in the cache for target nameserver names.
-+ * This stops, for large delegations, N*N lookups in the cache. */
-+#define ITERATOR_NAME_CACHELOOKUP_MAX	3
-+/* max number of lookups in the cache for parentside glue for nameserver names
-+ * This stops, for larger delegations, N*N lookups in the cache.
-+ * It is a little larger than the nonpside max, so it allows a couple extra
-+ * lookups of parent side glue. */
-+#define ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE	5
-+
- /**
-  * Process config options and set iterator module state.
-  * Sets default values if no config is found.
-diff --git a/unbound-1.16.2/iterator/iterator.c b/unbound-1.16.2/iterator/iterator.c
-index 25e5cfe..da9b799 100644
---- a/unbound-1.16.2/iterator/iterator.c
-+++ b/unbound-1.16.2/iterator/iterator.c
-@@ -1218,6 +1218,15 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
- 		(qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){
- 		return;
- 	}
-+	/* we do not generate this prefetch when the query list is full,
-+	 * the query is fetched, if needed, when the validator wants it.
-+	 * At that time the validator waits for it, after spawning it.
-+	 * This means there is one state that uses cpu and a socket, the
-+	 * spawned while this one waits, and not several at the same time,
-+	 * if we had created the lookup here. And this helps to keep
-+	 * the total load down, but the query still succeeds to resolve. */
-+	if(mesh_jostle_exceeded(qstate->env->mesh))
-+		return;
- 
- 	/* if the DNSKEY is in the cache this lookup will stop quickly */
- 	log_nametypeclass(VERB_ALGO, "schedule dnskey prefetch", 
-@@ -1911,6 +1920,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
- 				return 0;
- 			}
- 			query_count++;
-+			/* If the mesh query list is full, exit the loop here.
-+			 * This makes the routine spawn one query at a time,
-+			 * and this means there is no query state load
-+			 * increase, because the spawned state uses cpu and a
-+			 * socket while this state waits for that spawned
-+			 * state. Next time we can look up further targets */
-+			if(mesh_jostle_exceeded(qstate->env->mesh))
-+				break;
- 		}
- 		/* Send the A request. */
- 		if(ie->supports_ipv4 &&
-@@ -1925,6 +1942,9 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
- 				return 0;
- 			}
- 			query_count++;
-+			/* If the mesh query list is full, exit the loop. */
-+			if(mesh_jostle_exceeded(qstate->env->mesh))
-+				break;
- 		}
- 
- 		/* mark this target as in progress. */
-@@ -2085,6 +2105,15 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
- 			}
- 			ns->done_pside6 = 1;
- 			query_count++;
-+			if(mesh_jostle_exceeded(qstate->env->mesh)) {
-+				/* Wait for the lookup; do not spawn multiple
-+				 * lookups at a time. */
-+				verbose(VERB_ALGO, "try parent-side glue lookup");
-+				iq->num_target_queries += query_count;
-+				target_count_increase(iq, query_count);
-+				qstate->ext_state[id] = module_wait_subquery;
-+				return 0;
-+			}
- 		}
- 		if(ie->supports_ipv4 && !ns->done_pside4) {
- 			/* Send the A request. */
-@@ -2560,7 +2589,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
- 	if(iq->depth < ie->max_dependency_depth
- 		&& iq->num_target_queries == 0
- 		&& (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0)
--		&& iq->sent_count < TARGET_FETCH_STOP) {
-+		&& iq->sent_count < TARGET_FETCH_STOP
-+		/* if the mesh query list is full, then do not waste cpu
-+		 * and sockets to fetch promiscuous targets. They can be
-+		 * looked up when needed. */
-+		&& !mesh_jostle_exceeded(qstate->env->mesh)
-+		) {
- 		tf_policy = ie->target_fetch_policy[iq->depth];
- 	}
- 
-diff --git a/unbound-1.16.2/services/cache/dns.c b/unbound-1.16.2/services/cache/dns.c
-index 6bca8d8..b6e5697 100644
---- a/unbound-1.16.2/services/cache/dns.c
-+++ b/unbound-1.16.2/services/cache/dns.c
-@@ -404,6 +404,9 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
- 	struct ub_packed_rrset_key* akey;
- 	time_t now = *env->now;
- 	for(ns = dp->nslist; ns; ns = ns->next) {
-+		if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX)
-+			continue;
-+		ns->cache_lookup_count++;
- 		akey = rrset_cache_lookup(env->rrset_cache, ns->name, 
- 			ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
- 		if(akey) {
-diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
-index 30bcf7c..2a41194 100644
---- a/unbound-1.16.2/services/mesh.c
-+++ b/unbound-1.16.2/services/mesh.c
-@@ -2240,3 +2240,10 @@ mesh_serve_expired_callback(void* arg)
- 		mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv);
- 	}
- }
-+
-+int mesh_jostle_exceeded(struct mesh_area* mesh)
-+{
-+	if(mesh->all.count < mesh->max_reply_states)
-+		return 0;
-+	return 1;
-+}
-diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
-index 3be9b63..25121a6 100644
---- a/unbound-1.16.2/services/mesh.h
-+++ b/unbound-1.16.2/services/mesh.h
-@@ -685,4 +685,15 @@ struct dns_msg*
- mesh_serve_expired_lookup(struct module_qstate* qstate,
- 	struct query_info* lookup_qinfo);
- 
-+/**
-+ * See if the mesh has space for more queries. You can allocate queries
-+ * anyway, but this checks for the allocated space.
-+ * @param mesh: mesh area.
-+ * @return true if the query list is full.
-+ * 	It checks the number of all queries, not just number of reply states,
-+ * 	that have a client address. So that spawned queries count too,
-+ * 	that were created by the iterator, or other modules.
-+ */
-+int mesh_jostle_exceeded(struct mesh_area* mesh);
-+
- #endif /* SERVICES_MESH_H */
--- 
-2.37.3
-

unbound-1.16-control-key-perms.patch

@@ -1,14 +0,0 @@
-diff --git a/unbound-1.16.2/smallapp/unbound-control-setup.sh.in b/unbound-1.16.2/smallapp/unbound-control-setup.sh.in
-index 4a358f6bd..c2a79a242 100644
---- a/unbound-1.16.2/smallapp/unbound-control-setup.sh.in
-+++ b/unbound-1.16.2/smallapp/unbound-control-setup.sh.in
-@@ -204,7 +204,8 @@ fi
- # remove unused permissions
- chmod o-rw \
-       "$SVR_BASE.pem" \
--      "$SVR_BASE.key" \
-+      "$SVR_BASE.key"
-+chmod g+r,o-rw \
-       "$CTL_BASE.pem" \
-       "$CTL_BASE.key"
- 

unbound-1.16-control-t-flag.patch

@@ -1,129 +0,0 @@
-commit 6d1e61173bbf44dae458c361be63217f7e9e5599
-Author: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
-Date:   Thu Mar 28 09:58:03 2024 +0100
-
-    - Fix #1034: DoT forward-zone via unbound-control.
-
-diff --git a/unbound-1.16.2/daemon/remote.c b/unbound-1.16.2/daemon/remote.c
-index 5d79eafd..cbce1198 100644
---- a/unbound-1.16.2/daemon/remote.c
-+++ b/unbound-1.16.2/daemon/remote.c
-@@ -2097,7 +2097,7 @@ do_forward(RES* ssl, struct worker* worker, char* args)
- 
- static int
- parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
--	int* insecure, int* prime)
-+	int* insecure, int* prime, int* tls)
- {
- 	char* zonename;
- 	char* rest;
-@@ -2112,6 +2112,8 @@ parse_fs_args(RES* ssl, char* args, uint8_t** nm, struct delegpt** dp,
- 				*insecure = 1;
- 			else if(*args == 'p' && prime)
- 				*prime = 1;
-+			else if(*args == 't' && tls)
-+				*tls = 1;
- 			else {
- 				(void)ssl_printf(ssl, "error: unknown option %s\n", args);
- 				return 0;
-@@ -2144,11 +2146,13 @@ static void
- do_forward_add(RES* ssl, struct worker* worker, char* args)
- {
- 	struct iter_forwards* fwd = worker->env.fwds;
--	int insecure = 0;
-+	int insecure = 0, tls = 0;
- 	uint8_t* nm = NULL;
- 	struct delegpt* dp = NULL;
--	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL))
-+	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, NULL, &tls))
- 		return;
-+	if(tls)
-+		dp->ssl_upstream = 1;
- 	if(insecure && worker->env.anchors) {
- 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
- 			nm)) {
-@@ -2174,7 +2178,7 @@ do_forward_remove(RES* ssl, struct worker* worker, char* args)
- 	struct iter_forwards* fwd = worker->env.fwds;
- 	int insecure = 0;
- 	uint8_t* nm = NULL;
--	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
-+	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
- 		return;
- 	if(insecure && worker->env.anchors)
- 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
-@@ -2189,11 +2193,13 @@ static void
- do_stub_add(RES* ssl, struct worker* worker, char* args)
- {
- 	struct iter_forwards* fwd = worker->env.fwds;
--	int insecure = 0, prime = 0;
-+	int insecure = 0, prime = 0, tls = 0;
- 	uint8_t* nm = NULL;
- 	struct delegpt* dp = NULL;
--	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime))
-+	if(!parse_fs_args(ssl, args, &nm, &dp, &insecure, &prime, &tls))
- 		return;
-+	if(tls)
-+		dp->ssl_upstream = 1;
- 	if(insecure && worker->env.anchors) {
- 		if(!anchors_add_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
- 			nm)) {
-@@ -2232,7 +2238,7 @@ do_stub_remove(RES* ssl, struct worker* worker, char* args)
- 	struct iter_forwards* fwd = worker->env.fwds;
- 	int insecure = 0;
- 	uint8_t* nm = NULL;
--	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL))
-+	if(!parse_fs_args(ssl, args, &nm, NULL, &insecure, NULL, NULL))
- 		return;
- 	if(insecure && worker->env.anchors)
- 		anchors_delete_insecure(worker->env.anchors, LDNS_RR_CLASS_IN,
-diff --git a/unbound-1.16.2/doc/unbound-control.8.in b/unbound-1.16.2/doc/unbound-control.8.in
-index 7823de3a..642b4c94 100644
---- a/unbound-1.16.2/doc/unbound-control.8.in
-+++ b/unbound-1.16.2/doc/unbound-control.8.in
-@@ -239,22 +239,24 @@ still be bogus, use \fBflush_zone\fR to remove it), does not affect the config f
- .B insecure_remove \fIzone
- Removes domain\-insecure for the given zone.
- .TP
--.B forward_add \fR[\fI+i\fR] \fIzone addr ...
-+.B forward_add \fR[\fI+it\fR] \fIzone addr ...
- Add a new forward zone to running Unbound.  With +i option also adds a
- \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have
- a DNSSEC root trust anchor configured for other names).
- The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config
- in unbound.conf.
-+The +t option sets it to use tls upstream, like \fIforward\-tls\-upstream\fR: yes.
- .TP
- .B forward_remove \fR[\fI+i\fR] \fIzone
- Remove a forward zone from running Unbound.  The +i also removes a
- \fIdomain\-insecure\fR for the zone.
- .TP
--.B stub_add \fR[\fI+ip\fR] \fIzone addr ...
-+.B stub_add \fR[\fI+ipt\fR] \fIzone addr ...
- Add a new stub zone to running Unbound.  With +i option also adds a
- \fIdomain\-insecure\fR for the zone.  With +p the stub zone is set to prime,
- without it it is set to notprime.  The addr can be IP4, IP6 or nameserver
- names, like the \fIstub-zone\fR config in unbound.conf.
-+The +t option sets it to use tls upstream, like \fIstub\-tls\-upstream\fR: yes.
- .TP
- .B stub_remove \fR[\fI+i\fR] \fIzone
- Remove a stub zone from running Unbound.  The +i also removes a
-diff --git a/unbound-1.16.2/smallapp/unbound-control.c b/unbound-1.16.2/smallapp/unbound-control.c
-index c4f73006..57b0787d 100644
---- a/unbound-1.16.2/smallapp/unbound-control.c
-+++ b/unbound-1.16.2/smallapp/unbound-control.c
-@@ -150,12 +150,13 @@ usage(void)
- 	printf("  list_local_data		list local-data RRs in use\n");
- 	printf("  insecure_add zone 		add domain-insecure zone\n");
- 	printf("  insecure_remove zone		remove domain-insecure zone\n");
--	printf("  forward_add [+i] zone addr..	add forward-zone with servers\n");
-+	printf("  forward_add [+it] zone addr..	add forward-zone with servers\n");
- 	printf("  forward_remove [+i] zone	remove forward zone\n");
--	printf("  stub_add [+ip] zone addr..	add stub-zone with servers\n");
-+	printf("  stub_add [+ipt] zone addr..	add stub-zone with servers\n");
- 	printf("  stub_remove [+i] zone		remove stub zone\n");
- 	printf("		+i		also do dnssec insecure point\n");
- 	printf("		+p		set stub to use priming\n");
-+	printf("		+t		set to use tls upstream\n");
- 	printf("  forward [off | addr ...]	without arg show forward setup\n");
- 	printf("				or off to turn off root forwarding\n");
- 	printf("				or give list of ip addresses\n");

unbound-1.21-CVE-2024-8508.patch

@@ -1,249 +0,0 @@
-From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
-From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
-Date: Thu, 3 Oct 2024 14:46:57 +0200
-Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
- denial of service.
-
----
- unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
- 1 file changed, 46 insertions(+), 31 deletions(-)
-
-diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
-index fe21cfb..f9e95e6 100644
---- a/unbound-1.16.2/util/data/msgencode.c
-+++ b/unbound-1.16.2/util/data/msgencode.c
-@@ -62,6 +62,10 @@
- #define RETVAL_TRUNC	-4
- /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
- #define RETVAL_OK	0
-+/** Max compressions we are willing to perform; more than that will result
-+ *  in semi-compressed messages, or truncated even on TCP for huge messages, to
-+ *  avoid locking the CPU for long */
-+#define MAX_COMPRESSION_PER_MESSAGE 120
- 
- /**
-  * Data structure to help domain name compression in outgoing messages.
-@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
- 
- /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
- static int
--compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
--	struct regional* region, struct compress_tree_node** tree, 
--	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
-+compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
-+	struct regional* region, struct compress_tree_node** tree,
-+	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
-+	size_t* compress_count)
- {
- 	struct compress_tree_node* p;
- 	struct compress_tree_node** insertpt = NULL;
- 	if(!*owner_ptr) {
- 		/* compress first time dname */
--		if((p = compress_tree_lookup(tree, key->rk.dname, 
-+		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
-+			(p = compress_tree_lookup(tree, key->rk.dname,
- 			owner_labs, &insertpt))) {
- 			if(p->labs == owner_labs) 
- 				/* avoid ptr chains, since some software is
-@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- 			if(!write_compressed_dname(pkt, key->rk.dname, 
- 				owner_labs, p))
- 				return RETVAL_TRUNC;
-+			(*compress_count)++;
- 			/* check if typeclass+4 ttl + rdatalen is available */
- 			if(sldns_buffer_remaining(pkt) < 4+4+2)
- 				return RETVAL_TRUNC;
-@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- 			if(owner_pos <= PTR_MAX_OFFSET)
- 				*owner_ptr = htons(PTR_CREATE(owner_pos));
- 		}
--		if(!compress_tree_store(key->rk.dname, owner_labs, 
-+		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
-+			!compress_tree_store(key->rk.dname, owner_labs,
- 			owner_pos, region, p, insertpt))
- 			return RETVAL_OUTMEM;
- 	} else {
-@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- 
- /** compress any domain name to the packet, return RETVAL_* */
- static int
--compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
--	struct regional* region, struct compress_tree_node** tree)
-+compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
-+	struct regional* region, struct compress_tree_node** tree,
-+	size_t* compress_count)
- {
- 	struct compress_tree_node* p;
- 	struct compress_tree_node** insertpt = NULL;
- 	size_t pos = sldns_buffer_position(pkt);
--	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
-+	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
-+		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
- 		if(!write_compressed_dname(pkt, dname, labs, p))
- 			return RETVAL_TRUNC;
-+		(*compress_count)++;
- 	} else {
- 		if(!dname_buffer_write(pkt, dname))
- 			return RETVAL_TRUNC;
- 	}
--	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
-+	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
-+		!compress_tree_store(dname, labs, pos, region, p, insertpt))
- 		return RETVAL_OUTMEM;
- 	return RETVAL_OK;
- }
-@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
- 
- /** compress domain names in rdata, return RETVAL_* */
- static int
--compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
--	struct regional* region, struct compress_tree_node** tree, 
--	const sldns_rr_descriptor* desc)
-+compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
-+	struct regional* region, struct compress_tree_node** tree,
-+	const sldns_rr_descriptor* desc, size_t* compress_count)
- {
- 	int labs, r, rdf = 0;
- 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
-@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
- 		switch(desc->_wireformat[rdf]) {
- 		case LDNS_RDF_TYPE_DNAME:
- 			labs = dname_count_size_labels(rdata, &dname_len);
--			if((r=compress_any_dname(rdata, pkt, labs, region, 
--				tree)) != RETVAL_OK)
-+			if((r=compress_any_dname(rdata, pkt, labs, region,
-+				tree, compress_count)) != RETVAL_OK)
- 				return r;
- 			rdata += dname_len;
- 			todolen -= dname_len;
-@@ -449,7 +461,8 @@ static int
- packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
- 	uint16_t* num_rrs, time_t timenow, struct regional* region,
- 	int do_data, int do_sig, struct compress_tree_node** tree,
--	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
-+	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
-+	size_t* compress_count)
- {
- 	size_t i, j, owner_pos;
- 	int r, owner_labs;
-@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- 		for(i=0; i<data->count; i++) {
- 			/* rrset roundrobin */
- 			j = (i + rr_offset) % data->count;
--			if((r=compress_owner(key, pkt, region, tree, 
--				owner_pos, &owner_ptr, owner_labs))
--				!= RETVAL_OK)
-+			if((r=compress_owner(key, pkt, region, tree,
-+				owner_pos, &owner_ptr, owner_labs,
-+				compress_count)) != RETVAL_OK)
- 				return r;
- 			sldns_buffer_write(pkt, &key->rk.type, 2);
- 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
-@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
- 			if(c) {
- 				if((r=compress_rdata(pkt, data->rr_data[j],
--					data->rr_len[j], region, tree, c))
--					!= RETVAL_OK)
-+					data->rr_len[j], region, tree, c,
-+					compress_count)) != RETVAL_OK)
- 					return r;
- 			} else {
- 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
-@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
- 					return RETVAL_TRUNC;
- 				sldns_buffer_write(pkt, &owner_ptr, 2);
- 			} else {
--				if((r=compress_any_dname(key->rk.dname, 
--					pkt, owner_labs, region, tree))
--					!= RETVAL_OK)
-+				if((r=compress_any_dname(key->rk.dname,
-+					pkt, owner_labs, region, tree,
-+					compress_count)) != RETVAL_OK)
- 					return r;
- 				if(sldns_buffer_remaining(pkt) < 
- 					4+4+data->rr_len[i])
-@@ -544,7 +557,8 @@ static int
- insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
- 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
- 	struct regional* region, struct compress_tree_node** tree,
--	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
-+	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
-+	size_t* compress_count)
- {
- 	int r;
- 	size_t i, setstart;
-@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
- 			setstart = sldns_buffer_position(pkt);
- 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
- 				pkt, num_rrs, timenow, region, 1, 1, tree,
--				s, qtype, dnssec, rr_offset))
-+				s, qtype, dnssec, rr_offset, compress_count))
- 				!= RETVAL_OK) {
- 				/* Bad, but if due to size must set TC bit */
- 				/* trim off the rrset neatly. */
-@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
- 			setstart = sldns_buffer_position(pkt);
- 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
- 				pkt, num_rrs, timenow, region, 1, 0, tree,
--				s, qtype, dnssec, rr_offset))
-+				s, qtype, dnssec, rr_offset, compress_count))
- 				!= RETVAL_OK) {
- 				sldns_buffer_set_position(pkt, setstart);
- 				return r;
-@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
- 			setstart = sldns_buffer_position(pkt);
- 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
- 				pkt, num_rrs, timenow, region, 0, 1, tree,
--				s, qtype, dnssec, rr_offset))
-+				s, qtype, dnssec, rr_offset, compress_count))
- 				!= RETVAL_OK) {
- 				sldns_buffer_set_position(pkt, setstart);
- 				return r;
-@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
- 	struct compress_tree_node* tree = 0;
- 	int r;
- 	size_t rr_offset;
-+	size_t compress_count=0;
- 
- 	sldns_buffer_clear(buffer);
- 	if(udpsize < sldns_buffer_limit(buffer))
-@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
- 		arep.rrsets = &qinfo->local_alias->rrset;
- 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
- 			timezero, region, &tree, LDNS_SECTION_ANSWER,
--			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
-+			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
- 			if(r == RETVAL_TRUNC) {
- 				/* create truncated message */
- 				sldns_buffer_write_u16_at(buffer, 6, ancount);
-@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
- 	/* insert answer section */
- 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
- 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
--		dnssec, rr_offset)) != RETVAL_OK) {
-+		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
- 		if(r == RETVAL_TRUNC) {
- 			/* create truncated message */
- 			sldns_buffer_write_u16_at(buffer, 6, ancount);
-@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
- 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
- 			rep->an_numrrsets, timenow, region, &tree,
- 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
--			dnssec, rr_offset)) != RETVAL_OK) {
-+			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
- 			if(r == RETVAL_TRUNC) {
- 				/* create truncated message */
- 				sldns_buffer_write_u16_at(buffer, 8, nscount);
-@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
- 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
- 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
- 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
--				dnssec, rr_offset)) != RETVAL_OK) {
-+				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
- 				if(r == RETVAL_TRUNC) {
- 					/* no need to set TC bit, this is the additional */
- 					sldns_buffer_write_u16_at(buffer, 10, arcount);
--- 
-2.47.0
-

unbound-fedora-config.patch

@@ -0,0 +1,113 @@
+From a8be97bada623287cdd911c7a4549bbceef9fea0 Mon Sep 17 00:00:00 2001
+From: Tomas Korbar <tkorbar@redhat.com>
+Date: Tue, 4 Feb 2025 09:48:12 +0100
+Subject: [PATCH] Customize unbound.conf for Fedora defaults
+
+Set some Fedora/RHEL specific changes to example configuration file. By
+patching upstream provided config file we would not need to manually
+update external copy in source RPM.
+---
+ unbound-1.24.2/doc/example.conf.in | 33 ++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/unbound-1.24.2/doc/example.conf.in b/unbound-1.24.2/doc/example.conf.in
+index fda565c..cf10b85 100644
+--- a/unbound-1.24.2/doc/example.conf.in
++++ b/unbound-1.24.2/doc/example.conf.in
+@@ -51,11 +51,19 @@ server:
+ 	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
+ 	# specify every interface[@port] on a new 'interface:' labelled line.
+ 	# The listen interfaces are not changed on reload, only on restart.
++	# interface: 0.0.0.0
++	# interface: ::0
+ 	# interface: 192.0.2.153
+ 	# interface: 192.0.2.154
+ 	# interface: 192.0.2.154@5003
+ 	# interface: 2001:DB8::5
+ 	# interface: eth0@5003
++	#
++	# for dns over tls and raw dns over port 80
++	# interface: 0.0.0.0@443
++	# interface: ::0@443
++	# interface: 0.0.0.0@80
++	# interface: ::0@80
+ 
+ 	# enable this feature to copy the source address of queries to reply.
+ 	# Socket options are not supported on all platforms. experimental.
+@@ -295,6 +303,8 @@ server:
+ 	# nat64-prefix: 64:ff9b::0/96
+ 
+ 	# Enable UDP, "yes" or "no".
++	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
++	# disable UDP to avoid being used in DNS amplification attacks.
+ 	# do-udp: yes
+ 
+ 	# Enable TCP, "yes" or "no".
+@@ -330,6 +340,9 @@ server:
+ 	# can be dropped. Default is 0, disabled. In seconds, such as 3.
+ 	# sock-queue-timeout: 0
+ 
++	# Fedora note: do not activate this - not compiled in because
++	# it causes frequent unbound crashes. Also, socket activation
++	# is bad when you have things like dnsmasq also running with libvirt.
+ 	# Use systemd socket activation for UDP, TCP, and control sockets.
+ 	# use-systemd: no
+ 
+@@ -919,6 +932,8 @@ server:
+ 	# you need to do the reverse notation yourself.
+ 	# local-data-ptr: "192.0.2.3 www.example.com"
+ 
++	include: /etc/unbound/local.d/*.conf
++
+ 	# tag a localzone with a list of tag names (in "" with spaces between)
+ 	# local-zone-tag: "example.com" "tag2 tag3"
+ 
+@@ -929,8 +944,8 @@ server:
+ 	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+ 	# Give the certificate to use and private key.
+ 	# default is "" (disabled).  requires restart to take effect.
+-	# tls-service-key: "path/to/privatekeyfile.key"
+-	# tls-service-pem: "path/to/publiccertfile.pem"
++	# tls-service-key: "/etc/unbound/unbound_server.key"
++	# tls-service-pem: "/etc/unbound/unbound_server.pem"
+ 	# tls-port: 853
+ 	# https-port: 443
+ 	# quic-port: 853
+@@ -1184,6 +1199,12 @@ remote-control:
+ 	# unbound-control certificate file.
+ 	# control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem"
+ 
++# Default Fedora settings
++include: "@UNBOUND_SHARE_DIR@/fedora-defaults.conf"
++
++# Stub and Forward zones
++include: "@sysconfdir@/unbound/conf.d/*.conf"
++
+ # Stub zones.
+ # Create entries like below, to make all queries for 'example.com' and
+ # 'example.org' go to the given list of nameservers. list zero or more
+@@ -1204,6 +1225,10 @@ remote-control:
+ #	name: "example.org"
+ #	stub-host: ns.example.com.
+ 
++# You can now also dynamically create and delete stub-zone's using
++# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
++# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
++
+ # Forward zones
+ # Create entries like below, to make all queries for 'example.com' and
+ # 'example.org' go to the given list of servers. These servers have to handle
+@@ -1221,6 +1246,10 @@ remote-control:
+ # forward-zone:
+ # 	name: "example.org"
+ # 	forward-host: fwd.example.com
++#
++# You can now also dynamically create and delete forward-zone's using
++# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
++# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
+ 
+ # Authority zones
+ # The data for these zones is kept locally, from a file or downloaded.
+-- 
+2.52.0
+

unbound.spec

@@ -29,8 +29,8 @@
 
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
-Version: 1.16.2
-Release: 24%{?extra_version:.%{extra_version}}%{?dist}
+Version: 1.24.2
+Release: 1%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://nlnetlabs.nl/projects/unbound/
 Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
@@ -60,31 +60,14 @@ Source25: unbound.sysusers
 Source26: unbound-as112-networks.conf
 Source27: tmpfiles-unbound-libs.conf
 
-# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
-Patch1: unbound-1.16-CVE-2022-3204.patch
-# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
-Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
-# https://github.com/NLnetLabs/unbound/commit/6d1e61173
-Patch5: unbound-1.16-control-t-flag.patch
-# https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
-Patch6: unbound-1.21-CVE-2024-8508.patch
-# https://github.com/NLnetLabs/unbound/commit/b48958c983f60af40358cca168c403e57bde30d2
-Patch7: unbound-1.16-control-key-perms.patch
-# The patch for CVE-2025-5994 requires certain changes fixing bugs in subnet module
-# that is why we have to backport these commits. They have their respective tests
-# backported with them.
-# https://github.com/NLnetLabs/unbound/commit/0f08cc6d5577ad4747749c55229e16df8711ee32
-# https://github.com/NLnetLabs/unbound/commit/6d0812b56731af130e8bc7e1572388934beb9b3b
-# https://github.com/NLnetLabs/unbound/commit/be626f7c5330dc414a582a04b537ea79d5c452fb
-# https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
-# https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
-Patch8: unbound-1.23.1-CVE-2025-5994.patch
+# Downstream configuration changes
+Patch1:   unbound-fedora-config.patch
 
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
 BuildRequires: libevent-devel expat-devel
 BuildRequires: pkgconfig
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} >= 10
 BuildRequires: gnupg2
 %endif
 %if 0%{with_python2}
@@ -192,7 +175,7 @@ Unbound dracut module allowing use of Unbound for name resolution
 in initramfs.
 
 %prep
-%if 0%{?fedora}
+%if 0%{?fedora} || 0%{?rhel} >= 10
 %gpgverify -k 19 -s 18 -d 0
 %endif
 %global pkgname %{name}-%{version}%{?extra_version}
@@ -213,7 +196,7 @@ pushd %{pkgname}
 %autopatch -p2
 
 # only for snapshots
-autoreconf -iv
+autoreconf -fiv
 
 # copy common doc files - after here, since it may be patched
 cp -pr doc pythonmod libunbound ../