Benno Overeinder benno at
Wed Aug 25 10:02:24 UTC 2021

Hi Andreas,

On 17/08/2021 22:09, A. Schulze via Unbound-users wrote:
> there is rumor about some weakness in dns. Details in this thread:
> A test site is available at
> The test show unbound-1.13.2 as green (not vulnerable) but there are some hints regarding special character filtering.
> Maybe the unbound developer at nlnetlabs could rate these hints?

We did read the USENIX paper and the email thread on dns-operations. 
Currently, Unbound is binary clean in hostnames/domainnames, but we 
could implement options for additional filtering on hostnames.  (We do 
already have options for scrubbing replies in Unbound.)

However, the discussion on the mailing list also makes it clear that 
there are different ideas about *where* the bad content filtering should 
take place, in the infrastructure (ie. the name servers) or at the 
endpoint (stub resolvers and libraries).  We'd love to hear more 
community consensus to make this architectural decision.


-- Benno

Benno J. Overeinder
NLnet Labs

More information about the Unbound-users mailing list