Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

NLnetLabs/unbound
master @ ad9b12a
335
Fixes
0
CVEs
CRITICAL
Peak severity
Highlights
Denial of Service: 125 prior fixes. Scrutinize any change in this area.
services/authzone.c: most-fixed (43 issues). Treat as high-risk during review.
140 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Remote Code Execution: Unsafe copy operations in dns_msg_deepcopy_region during DNSSEC validation can cause heap-based memory corruption and write-what-where conditions, potentially leading to remote code execution. Developers must ensure structure-level assignments do not overwrite active pointer allocations.
DNS Cache Poisoning: Flaws in the message scrubbing/sanitization phase allow promiscuous, out-of-zone, or unvalidated NS records to poison the resolver's cache. Sanitizers must strictly enforce authority boundaries and restrict cache updates based on explicit, verified query types.
Auth Bypass: The DNSSEC engine has repeatedly suffered from logical bypasses when handling synthesized CNAMEs, wildcards, and negative proofs (NSEC/NSEC3), where unchecked or unsigned records in the chain of trust were treated as secure. Every referral and synthesized record path must strictly inherit validation state.