Dear Knot Resolver users,
Knot Resolver versions 5.7.1 (stable) and 6.0.6 (early-access) have been
released!
These releases include important security fixes, an update is strongly
advised!
Security:
- CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
* validator: lower the NSEC3 iteration limit (150 -> 50)
* validator: similarly also limit excessive NSEC3 salt length
* cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
* validator: limit the amount of work on SHA1 in NSEC3 proofs
* validator: refuse to validate answers with more than 8 NSEC3 records
- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
could be exploited to exhaust CPU resources and stall DNS resolvers.
Solution boils down mainly to limiting crypto-validations per packet.
We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel
and Michael Waidner
from the German National Research Center for Applied Cybersecurity ATHENE
for bringing this vulnerability to our attention.
Improvements:
- update addresses of B.root-servers.net (!1478)
Bugfixes:
- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880)
The update affects how some cached records are being treated, which may
trip up some sanity checking mechanisms in Knot Resolver if you have
advanced debugging options enabled (disabled by default),
"debugging.assertion_abort" for version 5 (Lua) and
"logging/debugging/assertation-abort" for version 6 (YAML). In case you
encounter any issues, please try clearing the cache first.
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.1/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.7.1/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
we would like to introduce you to Knot Resolver 6.x!
This future version of the resolver is now in the testing phase.
An article was published on our blog as part of this introduction.
EN: https://en.blog.nic.cz/2023/12/15/knot-resolver-6-x-news
CZ: https://blog.nic.cz/2023/12/15/novinky-v-knot-resolver-6-x
We will be happy if you try the new version and give us any feedback.
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 5.7.0 has been released!
Security
- avoid excessive TCP reconnections in a few more cases
Like before, the remote server had to behave nonsensically in order
to inflict this upon itself, but it might be abusable for DoS.
We thank Ivan Jedek from OryxLabs for reporting this.
Improvements
- forwarding mode: tweak dealing with failures from forwarders,
in particular prefer sending CD=0 upstream (!1392)
Bugfixes
- fix unusual timestamp format in debug dumps of records (!1386)
- adjust linker options; it should help less common platforms (!1384)
- hints module: fix names inside home.arpa. (!1406)
- EDNS padding (RFC 8467) compatibility with knot-dns 3.3 libs (!1422)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.7.0/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
Dear Knot Resolver users,
Knot Resolver 5.6.0 has been released!
Security
- avoid excessive TCP reconnections in some cases (!1380)
For example, a DNS server that just closes connections without answer
could cause lots of work for the resolver (and itself, too).
The number of connections could be up to around 100 per client's query.
We thank Xiang Li from NISL Lab, Tsinghua University,
and Xuesong Bai and Qifan Zhang from DSP Lab, UCI.
Improvements
- daemon: feed server selection with more kinds of bad-answer events (!1380)
- cache.max_ttl(): lower the default from six days to one day
and apply both limits to the first uncached answer already (!1323 #127)
- depend on jemalloc, preferably, to improve memory usage (!1353)
- no longer accept DNS messages with trailing data (!1365)
- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364)
- policy.STUB: avoid copying +dnssec flag from client to upstream (!1364)
Bugfixes
- policy.DEBUG_IF: don't print client's packet unconditionally (!1366)
Full changelog:
https://gitlab.nic.cz/knot/knot-resolver/raw/v5.6.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.6.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.6.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.6.0/
--
Ales Mrazek
PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE
