Release 6.0.6 (!1499) · Merge requests · Knot projects / Knot Resolver

Merged Vladimír Čunát requested to merge release-6.0.6 into 6.0 1 year ago

Feb 13, 2024
- Release 6.0.6 · 4451725c
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  4451725c
- AUTHORS update · 607cec2a
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  607cec2a
- NEWS for 6.0.6 · d24ba0be
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  d24ba0be
- Merge branch 'master' into dos-feb13-6.0 · fb08513c
  Vladimír Čunát authored 1 year ago
  
  There were some nontrivial conflicts to resolve, NEWS + the line ctx->vld_limit_crypto = KR_VLD_LIMIT_CRYPTO_DEFAULT; (I had this resolution prepared for a long time.)
  Verified
  
  fb08513c
- release 5.7.1 · e20df088
  Aleš Mrázek authored 1 year ago and Vladimír Čunát committed 1 year ago
  
  Verified
  
  e20df088
- Merge: mitigate CVE-2023-50387 "KeyTrap" · 867b5f28
  Vladimír Čunát authored 1 year ago
  
  DNSSEC verification complexity could be exploited to exhaust CPU resources and stall DNS resolvers. Solution boils down mainly to limiting crypto-validations per packet.
  867b5f28
- update NEWS with KeyTrap · 7b31e7e4
  Vladimír Čunát authored 1 year ago
  
  in a separate commit, as it will tend to conflict if patching
  Verified
  
  7b31e7e4
- mitigate KeyTrap DoS = CVE-2023-50387 · cc5051b4
  Vladimír Čunát authored 1 year ago
  
  Improve: don't retry in this case.
  Verified
  
  cc5051b4
- mitigate KeyTrap DoS = CVE-2023-50387 · feb65eb9
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  feb65eb9
- lib/resolve kr_request_set_extended_error(): tweak priorities · b044babb
  Vladimír Čunát authored 1 year ago
  
  Keep the first error in case priorities are equal. At least with the current KeyTrap topic that should work better, but blaming a single error is alchemy anyway, at least in some cases.
  Verified
  
  b044babb
- lib/dnssec kr_rrset_validate_with_key(): deduplicate cleanup · f9ba52e6
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  f9ba52e6
- Merge CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU · 79179c6f
  Vladimír Čunát authored 1 year ago
  
  79179c6f
Feb 12, 2024
- validator: compatibility with older libknot versions · 9b421cdf
  Vladimír Čunát authored 1 year ago
  
  The value is in IANA registry, so it's very constant anyway.
  Verified
  
  9b421cdf
- add NEWS for NSEC3 mitigations from the previous few commits · 86dcfbaf
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  86dcfbaf
- validator: refuse to validate answers with more than 8 NSEC3 records · a05cf1d3
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  a05cf1d3
- validator: limit the amount of work on SHA1 in NSEC3 proofs · 24699e9f
  Vladimír Čunát authored 1 year ago
  
  Verified
  
  24699e9f
- lib/cache: limit the amount of work on SHA1 · b5051ac2
  Vladimír Čunát authored 1 year ago
  
  That's when searching NSEC3 aggressive cache.
  Verified
  
  b5051ac2
- validator: similarly also limit excessive NSEC3 salt length · eccb8e27
  Vladimír Čunát authored 1 year ago
  
  Limit combination of iterations and salt length, based on estimated expense of the computation. Note that the result only differs for salt length > 44 which is rather nonsensical and very rare: https://chat.dns-oarc.net/community/pl/h58qx9sjkbgt9dajb7x988p78a
  Verified
  
  eccb8e27
- validator: lower the NSEC3 iteration limit (150 -> 50) · e966b7fd
  Vladimír Čunát authored 1 year ago
  
  Also done by BIND9 >= 9.19.19: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8515 The latest real-life measurements show that values above 50 are rare: https://chat.dns-oarc.net/community/pl/aadp9wwrp7g7ux1b8chbzebmze
  Verified
  
  e966b7fd

Admin message

Release 6.0.6

Merge request reports

Activity