Bug#1100870: marked as done (unbound-anchor is unable to recover from full disk)

[Debian Bug Tracking System]

Your message dated Sun, 07 Dec 2025 17:17:31 +0000
with message-id <e1vsio3-00bwao...@fasolo.debian.org>
and subject line Bug#1100870: fixed in unbound 1.17.1-2+deb12u4
has caused the Debian Bug report #1100870,
regarding unbound-anchor is unable to recover from full disk
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1100870: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: unbound-anchor
Version: 1.17.1-2+deb12u2
Severity: important

Dear Maintainer,







Luckily, upstream has already fixed this:

https://github.com/NLnetLabs/unbound/issues/595

The fix has been released with version 1.20, so we'll have it in trixie!




https://github.com/NLnetLabs/unbound/commit/8575d5b35ce3b91b41962fbba69030cc8789c3bf

Cheers!

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.17-amd64 (SMP w/16 CPU threads; PREEMPT)

Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages unbound-anchor depends on:
ii  libc6        2.41-5
ii  libexpat1    2.7.0-1
ii  libssl3t64   3.4.1-1
ii  libunbound8  1.22.0-1+b1

unbound-anchor recommends no packages.

unbound-anchor suggests no packages.

We've been using unbound-anchor on our servers for a good while now and we've been struggling with an issue that has an impact on the reliability of the local DNS resolver. When machines end up having their disk completely filled up, unbound-anchor ends up squashing all of the files used as auto-trust-anchor-file with just an empty file and can't add in the expected contents. When this happens, the contents of the anchor files are lost so unbound is 1. unable to start back up and 2. unable to recover from the situation unless a human intervenes. 2 means that when this happens, dns can be broken for a while before we realise that this situation is happening. However, I was wondering if it could be possible to backport the patch to bookworm so that users can have a more stable dns resolver until they can upgrade to trixie. The patch mentioned in the issue is relatively simple, so it shouldn't bee too much of a hassle to backport, I think: Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
--- End Message ---

--- Begin Message ---

Source: unbound
Source-Version: 1.17.1-2+deb12u4
Done: Michael Tokarev <m...@tls.msk.ru>

We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated unbound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 30 Nov 2025 13:33:55 +0300
Source: unbound
Architecture: source
Version: 1.17.1-2+deb12u4
Distribution: bookworm
Urgency: medium
Maintainer: unbound packagers <unbo...@packages.debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Closes: 1100870 1121446
Changes:
 unbound (1.17.1-2+deb12u4) bookworm; urgency=medium
 .
   * CVE-2024-33655.patch: remove unrelated change
     testdata/fwd_udptmout.tdir/fwd_udptmout.conf is not modified
     by the upstream commit in question (c3206f4568f6)
   * fix-823-Response-change-to-NODATA-for-some-ANY-queries.patch
     Fixes: https://github.com/NLnetLabs/unbound/issues/823
   * fix-not-following-cleared-RD-flags-amplification.patch
     fix potential amplification DDoS attacks
   * replace combined CVE-2023-50387_CVE-2023-50868_1.16.1-1.17.1.patch
     with 2 separate upstream commits, add patch descriptions, and add
     missing changes for testdata files:
      o CVE-2023-50387-DNSSEC-verification-complexity.patch
      o CVE-2023-50387_CVE-2023-50868_1.16.1-1.17.1.patch
   * 3 changes to fix CVE-2025-11411 (possible domain hijacking attack):
      o 1-iterator-iter_scrub.c-pass-module_env-parameter-to-s.patch
        (a change from "Add harden-unknown-additional option" upstream patch)
      o 2-possible-domain-hijacking-attack.patch
      o 3-additional-fix-for-possible-domain-hijacking.patch
     (Closes: #1121446)
   * fix-595-unbound-anchor-cannot-deal-with-full-disk.patch
     Fixes: https://github.com/NLnetLabs/unbound/issues/595
     (Closes: #1100870)
   * d/gbp.conf: set default branch to debian/bookworm
Checksums-Sha1:
 3615ab581f792e3f3f2cb91a90e99d0bf171467e 3298 unbound_1.17.1-2+deb12u4.dsc
 90da3bb8883931e30384057722dd9d1df4286f46 6244773 unbound_1.17.1.orig.tar.gz
 6b754d1c792a1f6d01d6706a75777b87d434b134 833 unbound_1.17.1.orig.tar.gz.asc
 1b61b719cc446bc895bba26aa93fc4503fe9e576 75016 
unbound_1.17.1-2+deb12u4.debian.tar.xz
 c63703eae1e77b81d8db82ac11f4aea41b3a054c 6658 
unbound_1.17.1-2+deb12u4_source.buildinfo
Checksums-Sha256:
 7833b82f7a888354c672dd743c19551325cb745e9a70793e90f4c9493ebaa065 3298 
unbound_1.17.1-2+deb12u4.dsc
 ee4085cecce12584e600f3d814a28fa822dfaacec1f94c84bfd67f8a5571a5f4 6244773 
unbound_1.17.1.orig.tar.gz
 b66a35d11545a1334b8aec1848c8c7ee0e01ef4a2950f2260a7c26b6fd61bfbf 833 
unbound_1.17.1.orig.tar.gz.asc
 b756330de8dd715ac8305bf36be0b0cc93a11703d2c542b4a320dcf1e71b229a 75016 
unbound_1.17.1-2+deb12u4.debian.tar.xz
 7c60674027288634b8388a16c4c53a2dbe5bc9759bfbf6b6c53ef6bf8a53e7e7 6658 
unbound_1.17.1-2+deb12u4_source.buildinfo
Files:
 ea3d7497fcb20e41b0af248025e95d2f 3298 net optional unbound_1.17.1-2+deb12u4.dsc
 bb96df2dc579c11ada537dbc52781abc 6244773 net optional 
unbound_1.17.1.orig.tar.gz
 8a6399230741197bdd17cc7e7686fe31 833 net optional 
unbound_1.17.1.orig.tar.gz.asc
 8b02cb5a8cf64bb6bce878aacaf9788c 75016 net optional 
unbound_1.17.1-2+deb12u4.debian.tar.xz
 3d26fe2d017082b62013a401d61935be 6658 net optional 
unbound_1.17.1-2+deb12u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJpNFlxCRCCqkokOx6UeEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmeRYmJ3Ep1b38tfla7G/TJZqb65bORHq3eUUX5zowq7
YBYhBGSqKrUx1WkDNmv++YKqSiQ7HpR4AADMsg//QtN0M5U6NU2t3TeTeZVcAICW
z784PDluPJ5yq2VnSTl10rTrZYLLgEdrbnKPNr31u7LLX6Tg20fgQwZoOCeJI1OH
PYUV5/7ImzoKED7F5+XrbS3zkVG8/6nUVQuzqZjcep51DlPOAMynmV0PQvmFCisD
y5H13oxE6ZODYCf5nsl/3dXpMNg2cQZH+7uA6UQ5OFSmxlK8UdLBJxfqyiOWg4Vm
lDrc7nOemsri6AZLymI7BWS0XAUaXkmUTB8S0RCVB+pUJKw//Dba9d4+ywqXmA0i
IVO6GJWHVd4RjAAoW64Q4DInMszvGIEQ//RcxLzM6aBBW1XuV9kgW8RFQp5lREz/
PxBEQ0xHprGd7iv4T4DgeZ35wjPD/Y0HwOkRO+S1D2l8DQLPq8k/HhmimuVV9qey
YPMv16mZLE0L0yrhITTz3emCs3Q/Oc+Abx+rLNGnG5qJpT8MrmYwp4BFAd6gz9VN
gmhZ1FHzhZ9BdBqg5wvUUlw9K7NVXoUYojicjjDYJPmxlqBLwytGa2YKFzDhPuQY
b4Ys4f5HJ7hMJjVg2nXRXovrqxdwXJHU9W27M85vp5Yz7svUQXboBrx00yx7SMVN
oLUUgC7OoHZYlSyLVMb7ubBJayKhY/VbeohZw2BqZAxI/qwQsuxHfwdWpTbwrEa/
pM/VnvqTlycM2bguJXk=
=YJ5A
-----END PGP SIGNATURE-----

pgpIwy6lxbDtN.pgp
Description: PGP signature

--- End Message ---