Unbound 1.24.1 released
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Mon Oct 27 08:47:26 UTC 2025
Hi Petr,
My public key should have several identities:
- yorgos at nlnetlabs.nl
- yorgos at opennetlabs.com
- george at nlnetlabs.nl
- george at opennetlabs.com
One of them is used to interact with this mailing list.
All of them are associated with NLnet Labs (and the NLnet Labs' owned
Open Netlabs subsidiary)
I also explicitly listed Wouter's and mine PGP Key IDs at the end of my
previous email.
For the single key/file remark I will reply to Phil's email since he
also raises the same issue.
Best regards,
-- Yorgos
On 24/10/2025 18:38, Petr Menšík via Unbound-users wrote:
> Hi!
>
> First things first, thank you for the great product.
>
> However, my Fedora package has failed again on PGP key verification. New
> release is signed with key 948EB42322C5D00B79340F5DCFF3344D9087A490.
>
> My previous key of Wouter were not recognized. Then I realized previous
> release were not signed by Yorgos. But some previous were. I went to
> NLNetlabs People page [1] to find who that george might be. And
> surprise, no George at all.
>
> When I refreshed the key of Yorgos, I found then I am not under attack
> and I already have such key, but not with this id.
>
> gpgv: Signature made Wed Oct 22 11:16:18 2025 CEST
> gpgv: using RSA key 948EB42322C5D00B79340F5DCFF3344D9087A490
> gpgv: issuer "george at nlnetlabs.nl"
> gpgv: Can't check signature: No public key
>
> Anyway, could be please created one file published over HTTPS, which
> would contain both people creating source archives recently?
>
> I had to put one key or another key [2] into my spec file, it is somehow
> unwanted, especially in archive signature verification.
>
> It would be better if unbound page [3] could contain at least
> description which people may sign the release. Ideally combined single
> file, which I may refresh on new release if in doubt.
>
> Thank you in advance!
>
>
> 1. https://nlnetlabs.nl/people/
> 2. https://src.fedoraproject.org/rpms/unbound/blob/rawhide/f/
> unbound.spec#_222
> 3. https://nlnetlabs.nl/projects/unbound/about/
>
> On 22/10/2025 12:20, Yorgos Thessalonikefs via Unbound-users wrote:
>> Hi,
>>
>> Unbound 1.24.1 is available:
>> https://nlnetlabs.nl/downloads/unbound/unbound-1.24.1.tar.gz
>> sha256 7f2b1633e239409619ae0527f67878b0f33ae0ec0ee5a3a51c042c359ba1eeab
>> pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.24.1.tar.gz.asc
>>
>> This security release fixes CVE-2025-11411.
>>
>> Promiscuous NS RRSets that complement DNS replies in the authority
>> section can be used to trick resolvers to update their delegation
>> information for the zone.
>>
>> The CVE is described here
>> https://nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
>>
>> We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
>> Duan from Tsinghua University for discovering and responsibly disclosing
>> the vulnerability.
>>
>> Bug Fixes:
>> - Fix CVE-2025-11411 (possible domain hijacking attack), reported by
>> Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua
>> University.
>>
>>
>> This Unbound release is signed by my PGP key.
>>
>> You can find my public PGP key at https://nlnetlabs.nl/people/.
>>
>> Also on the online key servers like
>> https://keyserver.ubuntu.com/pks/lookup?
>> search=948eb42322c5d00b79340f5dcff3344d9087a490&fingerprint=on&op=index
>> which is additionally signed with Wouter's key as well.
>>
>> Both Wouter's (PGP Key ID: 9F6F 1C2D 7E04 5F8D)
>> and my key (PGP Key ID: CFF3 344D 9087 A490)
>> will be eligible for signing releases from now.
>>
>>
>> Best regards,
>> -- Yorgos
>>
More information about the Unbound-users
mailing list