* [PATCH] RPZ: ignore ZONEMD records to prevent root priming failure
@ 2026-02-17 9:07 ummeegge
0 siblings, 0 replies; only message in thread
From: ummeegge @ 2026-02-17 9:07 UTC (permalink / raw)
To: development; +Cc: ummeegge
RPZ zones with apex ZONEMD RR (type 63) create phantom QNAME trigger for root
zone (.) after strip_dname_origin(), breaking DNSSEC priming:
"rpz: applied [dbl-ads] . rpz-local-data . DNSKEY IN"
Fixes: https://github.com/NLnetLabs/unbound/issues/1404
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
---
lfs/unbound | 5 +++++
src/patches/unbound-rpz-ignore-zonemd.patch | 21 +++++++++++++++++++++
2 files changed, 26 insertions(+)
create mode 100644 src/patches/unbound-rpz-ignore-zonemd.patch
diff --git a/lfs/unbound b/lfs/unbound
index 5df07f965..bab323c2b 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -70,6 +70,11 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+ # Apply unbound RPZ ZONEMD fix.
+ # Fix should be included in one of the following versions
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/unbound-rpz-ignore-zonemd.patch
+
cd $(DIR_APP) && \
./configure \
--prefix=/usr \
diff --git a/src/patches/unbound-rpz-ignore-zonemd.patch b/src/patches/unbound-rpz-ignore-zonemd.patch
new file mode 100644
index 000000000..c761e52a8
--- /dev/null
+++ b/src/patches/unbound-rpz-ignore-zonemd.patch
@@ -0,0 +1,21 @@
+Subject: [PATCH] RPZ: ignore ZONEMD records to prevent root priming failure
+
+RPZ zones with apex ZONEMD RR (type 63) create phantom QNAME trigger for root
+zone (.) after strip_dname_origin(), breaking DNSSEC priming:
+"rpz: applied [dbl-ads] . rpz-local-data . DNSKEY IN"
+
+Fixes: https://github.com/NLnetLabs/unbound/issues/1404
+Tested-on: unbound-1.24.2
+
+diff -Nur unbound-1.24.2.orig/services/rpz.c unbound-1.24.2/services/rpz.c
+--- unbound-1.24.2.orig/services/rpz.c 2025-11-26 10:16:06.000000000 +0000
++++ unbound-1.24.2/services/rpz.c 2026-02-16 10:00:46.973582336 +0000
+@@ -160,6 +160,7 @@
+ case LDNS_RR_TYPE_NSEC:
+ case LDNS_RR_TYPE_NSEC3:
+ case LDNS_RR_TYPE_NSEC3PARAM:
++ case LDNS_RR_TYPE_ZONEMD:
+ return 1;
+ default:
+ break;
+
--
2.43.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-02-17 9:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-17 9:07 [PATCH] RPZ: ignore ZONEMD records to prevent root priming failure ummeegge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox