From nobody Wed Nov 26 22:47:52 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dGvpt0fzPz6Hh5X
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Wed, 26 Nov 2025 22:48:06 +0000 (UTC)
	(envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dGvps3TLCz3nxK
	for <dev-commits-src-all@freebsd.org>; Wed, 26 Nov 2025 22:48:00 +0000 (UTC)
	(envelope-from shawn.webb@hardenedbsd.org)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-il1-x132.google.com with SMTP id e9e14a558f8ab-4331709968fso1549415ab.2
        for <dev-commits-src-all@freebsd.org>; Wed, 26 Nov 2025 14:48:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=hardenedbsd.org; s=google; t=1764197274; x=1764802074; darn=freebsd.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=1cSVrjpYAcDKNHgiQjs7JYwVdiDzgTUD/dalY61FVk0=;
        b=TsKh3xblEcajnHT5l5tD1WepV7Xi7xTu0M1w4RxW7KLGAFo9FWUNV0P/pLdb7OwNBY
         vnMMBlCPJAN/OKmGmqT5DVtL90bkgDLbP8r7eouZEU+UEo5iGekf55lBLbcbVNXOYoa6
         01d+qJW2+HbEkXHDKbcGTFlneIwIpK9MpNpjknGVvrbYrJM0H6rDLJPxbC9leBzG5dW8
         9twTgtBPOqiDk+xVNGEREqmWa+R3gpvL0EEBEQvCjzYrOHhp+K0vtIxTtyu+Zp1taVdh
         OLvss6lQqsJ2F32ouROYST53oWhSexOX2fIGt2iMbgi4jOQxDVxNcD6znA9UFczVORsV
         AbQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764197274; x=1764802074;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=1cSVrjpYAcDKNHgiQjs7JYwVdiDzgTUD/dalY61FVk0=;
        b=VtOif86eB/wziCpaqh+a4Srxnhc3Y5KJrZDtHKIeBAwu8P4GP6rRwudDmZ1ZJAU0nb
         mMQ+m1C2vxjlH7xA1HL83GKPSMbYEVf9XzugplfDl25wbQ342gShZNv/TeIAATCiiIL6
         lHBtPepuE7tIObttFFw0PO8viY0MsrQU9ELtdJib2l6lNn0pTkt4HP09BhqKOKgIEuS3
         5Ds4zBAyX3kDxcG10HIg8ikJwiFwQJsNgLQqgK+CiA5OuL3LDEqX4o2oWce18fka6jIp
         udp448+TEJKUAYlyHCwne0vsKTRDA+zUyXogHof63sJ2Ze7YOBAdv34uQOoY6xBNKtow
         RHZQ==
X-Forwarded-Encrypted: i=1; AJvYcCXJd4Rq+w+ipQQFkWkXGZEDydizNORa61/1ql7ZogK0z4ExHaf+JLboAbGltClgiDzbtIOqhd+2ucqFPPXQRjPfvsuX@freebsd.org
X-Gm-Message-State: AOJu0YzvFu7XnThyBHVRN4xXUfrXWkatmSVjf5N3aSEpfwt6xy4i1Vg6
	lTxv2TXP8hUKnVV4Tblnbco2FcS8gGVgTqG/powUw0HRPxMnuaqDsrLao8Jsq0zQ+1c=
X-Gm-Gg: ASbGnct0M69eFhAYrfu1l0TofrrHqHJyCpyQ9fqKjM00Kc+qoRwB/xow8K/Fh4Be5NI
	SFnUpUg91pLX7FaorgMuFXmHiwFd5FAbfkFJv4NCqjHuUYHTOFktiVJsB4zc4WzfLDjwYPlJQKp
	yYWEJ7lFO86syGcnKF5NU6HV/JYCTSIrWX6V/sa5npq/kvjj+FFm6+4fEl8HohUAJ32kGWfPiMc
	PMewxEeOgCFKHsUj5bh3BLmj2mFw3ufIcDquWMK5M/DzeB7Zgq8XBddQ2+Pxg9615At1Smlpagy
	BQSGcZkyDHX/MYzlfzIgtOvUFHx6mfR65uerNyUjsO3lt6IqrkP09VJTFFf611idgnPeOuGSMGS
	7qBOKagBO1hlN8GNeOE1ZH6Jsisf9tVbTq+X1sMLl3ZTlMOWx5BfyexOfp//lcnN/Y5YKb7Elbh
	XwXS8=
X-Google-Smtp-Source: AGHT+IH2DelQaxdne36vX98dzLUUwke14F0uCWpgMTvCBqzKRDP5fRQkfdTSF2h3gVz93MrQ98jEpw==
X-Received: by 2002:a92:ca0f:0:b0:434:6f6a:fba4 with SMTP id e9e14a558f8ab-435b8c18b77mr186893175ab.5.1764197274078;
        Wed, 26 Nov 2025 14:47:54 -0800 (PST)
Received: from mutt-hbsd ([2001:470:4001:1::95])
        by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-435a9069247sm91978675ab.15.2025.11.26.14.47.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 26 Nov 2025 14:47:53 -0800 (PST)
Date: Wed, 26 Nov 2025 22:47:52 +0000
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: Gordon Tetlow <gordon@freebsd.org>
Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, 
	dev-commits-src-main@freebsd.org
Subject: Re: git: 2a3a6a177114 - main - Mitigate YXDOMAIN and nodata
 non-referral answer poisoning.
Message-ID: <vkvj4ijewblmfnzzwqv64fkzkfpvdl4rxos2i27b5r6fmstefr@wf5wqc4t5awb>
X-Operating-System: FreeBSD mutt-hbsd 14.3-STABLE-HBSD FreeBSD
 14.3-STABLE-HBSD  HARDENEDBSD-14-STABLE amd64
X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
References: <69272395.3426e.56ff4912@gitrepo.freebsd.org>
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="geksarbedy6bkeao"
Content-Disposition: inline
In-Reply-To: <69272395.3426e.56ff4912@gitrepo.freebsd.org>
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4dGvps3TLCz3nxK


--geksarbedy6bkeao
Content-Type: text/plain; protected-headers=v1; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Subject: Re: git: 2a3a6a177114 - main - Mitigate YXDOMAIN and nodata
 non-referral answer poisoning.
MIME-Version: 1.0

On Wed, Nov 26, 2025 at 03:58:13PM +0000, Gordon Tetlow wrote:
> The branch main has been updated by gordon:
>=20
> URL: https://cgit.FreeBSD.org/src/commit/?id=3D2a3a6a1771148a709c2d9694c1=
d66c41ce8dee79
>=20
> commit 2a3a6a1771148a709c2d9694c1d66c41ce8dee79
> Author:     Gordon Tetlow <gordon@FreeBSD.org>
> AuthorDate: 2025-11-21 21:24:58 +0000
> Commit:     Gordon Tetlow <gordon@FreeBSD.org>
> CommitDate: 2025-11-26 15:57:33 +0000
>=20
>     Mitigate YXDOMAIN and nodata non-referral answer poisoning.
>    =20
>     Add a fix to apply scrubbing of unsolicited NS RRSets (and their
>     respective address records) for YXDOMAIN and nodata non-referral
>     answers. This prevents a malicious actor from exploiting a possible
>     cache poison attack.
>    =20
>     Obtained from:  NLnet Labs
>     Security:       CVE-2025-11411
> ---
>  contrib/unbound/iterator/iter_scrub.c | 39 +++++++++++++++++++++++++++++=
++----
>  1 file changed, 35 insertions(+), 4 deletions(-)
>=20
> diff --git a/contrib/unbound/iterator/iter_scrub.c b/contrib/unbound/iter=
ator/iter_scrub.c
> index 553d3655f0e3..8507a3fb65ac 100644
> --- a/contrib/unbound/iterator/iter_scrub.c
> +++ b/contrib/unbound/iterator/iter_scrub.c
> @@ -418,12 +418,13 @@ shorten_rrset(sldns_buffer* pkt, struct rrset_parse=
* rrset, int count)
>   * @param qinfo: original query.
>   * @param region: where to allocate synthesized CNAMEs.
>   * @param env: module env with config options.
> + * @param zonename: name of server zone.
>   * @return 0 on error.
>   */
>  static int
>  scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,=20
>  	struct query_info* qinfo, struct regional* region,
> -	struct module_env* env)
> +	struct module_env* env, uint8_t* zonename)
>  {
>  	uint8_t* sname =3D qinfo->qname;
>  	size_t snamelen =3D qinfo->qname_len;
> @@ -431,7 +432,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* =
msg,
>  	int cname_length =3D 0; /* number of CNAMEs, or DNAMEs */
> =20
>  	if(FLAGS_GET_RCODE(msg->flags) !=3D LDNS_RCODE_NOERROR &&
> -		FLAGS_GET_RCODE(msg->flags) !=3D LDNS_RCODE_NXDOMAIN)
> +		FLAGS_GET_RCODE(msg->flags) !=3D LDNS_RCODE_NXDOMAIN &&
> +		FLAGS_GET_RCODE(msg->flags) !=3D LDNS_RCODE_YXDOMAIN)
>  		return 1;
> =20
>  	/* For the ANSWER section, remove all "irrelevant" records and add
> @@ -470,6 +472,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse*=
 msg,
>  				&aliaslen, pkt)) {
>  				verbose(VERB_ALGO, "synthesized CNAME "
>  					"too long");
> +				if(FLAGS_GET_RCODE(msg->flags) =3D=3D LDNS_RCODE_YXDOMAIN) {
> +					prev =3D rrset;
> +					rrset =3D rrset->rrset_all_next;
> +					continue;
> +				}
>  				return 0;
>  			}
>  			cname_length++;
> @@ -650,6 +657,29 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse*=
 msg,
>  					"RRset:", pkt, msg, prev, &rrset);
>  				continue;
>  			}
> +			/* Also delete promiscuous NS for other RCODEs */
> +			if(FLAGS_GET_RCODE(msg->flags) !=3D LDNS_RCODE_NOERROR
> +				&& env->cfg->iter_scrub_promiscuous) {
> +				remove_rrset("normalize: removing promiscuous "
> +					"RRset:", pkt, msg, prev, &rrset);
> +				continue;
> +			}
> +			/* Also delete promiscuous NS for NOERROR with nodata
> +			 * for authoritative answers, not for delegations.
> +			 * NOERROR with an_rrsets!=3D0 already handled.
> +			 * Also NOERROR and soa_in_auth already handled.
> +			 * NOERROR with an_rrsets=3D=3D0, and not a referral.
> +			 * referral is (NS not the zonename, noSOA).
> +			 */
> +			if(FLAGS_GET_RCODE(msg->flags) =3D=3D LDNS_RCODE_NOERROR
> +				&& msg->an_rrsets =3D=3D 0
> +				&& !(dname_pkt_compare(pkt, rrset->dname,
> +				     zonename) !=3D 0 && !soa_in_auth(msg))
> +				&& env->cfg->iter_scrub_promiscuous) {
> +				remove_rrset("normalize: removing promiscuous "
> +					"RRset:", pkt, msg, prev, &rrset);
> +				continue;
> +			}
>  			if(nsset =3D=3D NULL) {
>  				nsset =3D rrset;
>  			} else {
> @@ -1060,7 +1090,8 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* =
msg,
>  	/* this is not required for basic operation but is a forgery=20
>  	 * resistance (security) feature */
>  	if((FLAGS_GET_RCODE(msg->flags) =3D=3D LDNS_RCODE_NOERROR ||
> -		FLAGS_GET_RCODE(msg->flags) =3D=3D LDNS_RCODE_NXDOMAIN) &&
> +		FLAGS_GET_RCODE(msg->flags) =3D=3D LDNS_RCODE_NXDOMAIN ||
> +		FLAGS_GET_RCODE(msg->flags) =3D=3D LDNS_RCODE_YXDOMAIN) &&
>  		msg->qdcount =3D=3D 0)
>  		return 0;
> =20
> @@ -1074,7 +1105,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* =
msg,
>  	}
> =20
>  	/* normalize the response, this cleans up the additional.  */
> -	if(!scrub_normalize(pkt, msg, qinfo, region, env))
> +	if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename))
>  		return 0;
>  	/* delete all out-of-zone information */
>  	if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate))
>=20

Hey Gordon,

Do you know if this fix was the incomplete one from Unbound 1.24.1? Or
does this include the additional fix that landed in 1.24.2 earlier
today?

Thanks,

--=20
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username:  shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A=
4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

--geksarbedy6bkeao
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmkng5IACgkQ/y5nonf4
4fr0iBAAijqdG8MO0Np86jNz8P13yc8IPXV+wcLJitOPFgP+1km+eAD3tlvqm+hm
9YXvLLr2kZ0sVu2yr03LJMR22UbQyg2B6g/c7Nq1UB/HqQixqWYyMXvCtMazx9Ij
W69QBXlF0Es9bGbVIcXI0EK4Tf81azI1cWTJ5kvsBqfLsppJKIZKUyq/Sot6QtSc
Db7NOig1GckJxhnvrM113pRmkfJGwDOBPjKaGwMBAe/IGdzcQfQ03bzJokshIpLm
crdwwmTToA0T9zxuo9e+eD1EDQSuBN5XJc0eXzHdqi7x8L4hqRfPTO03poQtvLX4
bVS7gBWLuZzaOwEZlGd0P8LEb2cpAa2IIigu/GQgxCx2kY95t5Dk+kpCaPIWckFS
+2EXespt3JS1g5EiW/EzI6virY+96KUTS9TdDCMM3n386PRhrVQXGb5pH2LQ0Kz2
B3fZvXoY5/z8MKxG7TcTZDZBoGMDEJuiSQxNlj9Zj6ams+y4/0UuEpWmDwHwxzxN
+xMvMejdTJkaB00cl+hRG5RBrHX9ZujHtWDSzTiaekh6zF4jI3nKDFdCiUWxQ7DJ
SUFCbExA+yItBjsEpDHojv08nxZMlUhokfT9Iw5KtdwWCOIMEJQRXkd1kT18kI1K
c78kV7kZVKtIlv7eSQL07AQlRs0gNOWR7B8vfhCIy/EmX5ARopA=
=wmej
-----END PGP SIGNATURE-----

--geksarbedy6bkeao--