Unbound 1.24.2 released

We are pleased to announce the release of version 1.24.2 of the Unbound recursive DNS resolver.

This security release provides an additional fix for CVE-2025-11411.

Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. If a malicious actor is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache for the delegation point.

Unbound 1.24.1 included a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies as well, mitigating the possible poison effect.

We would like to thank TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University for discovering and responsibly disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.

For a full list of changes, binary and source packages, see the download page.

Related links:

• Unbound project page
• Directly download the source package
• Unbound security advisories page
• CVE acknowledgement statement

software update