Unbound 1.24.1 released

Fri Oct 24 16:38:32 UTC 2025

Hi!

First things first, thank you for the great product.

However, my Fedora package has failed again on PGP key verification. New 
release is signed with key 948EB42322C5D00B79340F5DCFF3344D9087A490.

My previous key of Wouter were not recognized. Then I realized previous 
release were not signed by Yorgos. But some previous were. I went to 
NLNetlabs People page [1] to find who that george might be. And 
surprise, no George at all.

When I refreshed the key of Yorgos, I found then I am not under attack 
and I already have such key, but not with this id.

gpgv: Signature made Wed Oct 22 11:16:18 2025 CEST
gpgv:                using RSA key 948EB42322C5D00B79340F5DCFF3344D9087A490
gpgv:                issuer "george at nlnetlabs.nl"
gpgv: Can't check signature: No public key

Anyway, could be please created one file published over HTTPS, which 
would contain both people creating source archives recently?

I had to put one key or another key [2] into my spec file, it is somehow 
unwanted, especially in archive signature verification.

It would be better if unbound page [3] could contain at least 
description which people may sign the release. Ideally combined single 
file, which I may refresh on new release if in doubt.

Thank you in advance!

1. https://nlnetlabs.nl/people/
2. 
https://src.fedoraproject.org/rpms/unbound/blob/rawhide/f/unbound.spec#_222
3. https://nlnetlabs.nl/projects/unbound/about/

On 22/10/2025 12:20, Yorgos Thessalonikefs via Unbound-users wrote:
> Hi,
>
> Unbound 1.24.1 is available:
> https://nlnetlabs.nl/downloads/unbound/unbound-1.24.1.tar.gz
> sha256 7f2b1633e239409619ae0527f67878b0f33ae0ec0ee5a3a51c042c359ba1eeab
> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.24.1.tar.gz.asc
>
> This security release fixes CVE-2025-11411.
>
> Promiscuous NS RRSets that complement DNS replies in the authority
> section can be used to trick resolvers to update their delegation
> information for the zone.
>
> The CVE is described here
> https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
>
> We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
> Duan from Tsinghua University for discovering and responsibly disclosing
> the vulnerability.
>
> Bug Fixes:
> - Fix CVE-2025-11411 (possible domain hijacking attack), reported by
>   Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua
>   University.
>
>
> This Unbound release is signed by my PGP key.
>
> You can find my public PGP key at https://nlnetlabs.nl/people/.
>
> Also on the online key servers like
> https://keyserver.ubuntu.com/pks/lookup?search=948eb42322c5d00b79340f5dcff3344d9087a490&fingerprint=on&op=index 
>
> which is additionally signed with Wouter's key as well.
>
> Both Wouter's (PGP Key ID: 9F6F 1C2D 7E04 5F8D)
> and my key    (PGP Key ID: CFF3 344D 9087 A490)
> will be eligible for signing releases from now.
>
>
> Best regards,
> -- Yorgos
>
-- 
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB