Dear Knot Resolver users,
DNS Shotgun v20240219, our high-performance realistic benchmarking tool
for DNS resolvers, has been released.
This new release, amongst a variety of other improvements, brings
support for testing DNS-over-QUIC.
Incompatible changes:
- CMake is now being used to build dnssim instead of Autotools
- GnuTLS 3.7.5+ is now required
Improvements:
- pcap/extract-clients: always reset UDP port numbers to 53 (!56)
- pcap/extract-clients: ability to write to stdout (!62)
- pcap/filter-dnsq: skip 'special' queries for *.dotnxdomain.net (!58)
- pcap/split-clients: new tool to split larger PCAPs into smaller ones (!61)
- pcap/merge-chunks: allow disabling randomization (!67)
- tools/plot-latency: ability to diversify lines with linestyles (!69)
- tools/plot-response-rate: estimate worst-case drop caused by discarded
packets (!74)
- tools/plot-packet-rate: handle incomplete last sampling period (!71)
- tools/plot-response-rate: ability to ignore RCODEs with small response
rate (!73)
- pcap/filter-dnsq: ability to log malformed queries (!72)
- pcap/generate-const-qps: new tool to generate constant QPS (!33)
- tools: allow customizing plot charts with `SHOTGUN_MPLSTYLES` (!65)
- replay: `--preload` argument, mainly for dnssim debugging with
sanitizers (!76)
- tools/plot-latency: use fractional values for humans in charts (!78)
- pcap/extract-clients: warn if some input packets were skipped (!80)
- dnssim: replace Autotools with CMake (!77, !86)
- configs: DoH configs with exclusively GET/POST methods (!82)
- tools/plot-response-rate: avoid division by zero (!89)
- tools/plot-latency: denser labels to improve logarithmic scale
readability (!90)
- pcap/extract-clients: allow query rewriting - anonymization (!91)
- Support for DNS-over-QUIC (!75)
Bugfixes:
- tools/plot-response-rate: avoid white lines on white background (!55)
- tools/plot-client-distribution: properly handle file limit (!59)
- pcap: proper PCAP write error handling (!60)
- tools/plot-connections: set axis limits properly (!66)
- tools/plot-packet-rate: trim chart whitespace (!79)
- replay: do not exit silently when dnssim returns non-zero (!87)
Full changelog:
https://gitlab.nic.cz/knot/shotgun/-/releases/v20240219
Sources:
https://gitlab.nic.cz/knot/shotgun/-/archive/v20240219/shotgun-v20240219.ta…
Documentation:
https://dns-shotgun.readthedocs.io/en/v20240219/
Oto Šťáva
Knot Resolver
CZ.NIC z.s.p.o.
Dear Knot Resolver users,
Knot Resolver versions 5.7.1 (stable) and 6.0.6 (early-access) have been
released!
These releases include important security fixes, an update is strongly
advised!
Security:
- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
* validator: lower the NSEC3 iteration limit (150 -> 50)
* validator: similarly also limit excessive NSEC3 salt length
* cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
* validator: limit the amount of work on SHA1 in NSEC3 proofs
* validator: refuse to validate answers with more than 8 NSEC3 records
- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
could be exploited to exhaust CPU resources and stall DNS resolvers.
Solution boils down mainly to limiting crypto-validations per packet.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel
and Michael Waidner
from the German National Research Center for Applied Cybersecurity ATHENE
for bringing this vulnerability to our attention.
Improvements:
- update addresses of B.root-servers.net (!1478)
Bugfixes:
- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
The update affects how some cached records are being treated, which may
trip up some sanity checking mechanisms in Knot Resolver if you have
advanced debugging options enabled (disabled by default),
"debugging.assertion_abort" for version 5 (Lua) and
"logging/debugging/assertation-abort" for version 6 (YAML). In case you
encounter any issues, please try clearing the cache first.
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.1/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.7.1/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
