[knot-dns-users] Knot Resolver 1.3.3 security release

Vladimír Čunát vladimir.cunat at nic.cz
Wed Aug 9 16:36:02 CEST 2017


Dear Knot Resolver users,

Knot Resolver 1.3.3 is a critical security release!

Security
--------
- Fix a critical DNSSEC flaw.  Signatures might be accepted as valid
  even if the signed data was not in bailiwick of the DNSKEY used to
  sign it, assuming the trust chain to that DNSKEY was valid.

Bugfixes
--------
- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
- utils: fix possible incorrect seeding of the random generator
- modules/http: fix compatibility with the Prometheus text format

Improvements
------------
- policy: implement remaining special-use domain names from RFC6761 (#205),
  and make these rules apply only if no other non-chain rule applies


It is strongly recommended to update from any older versions, or at least
to mitigate the security problem by applying this small patch:
https://gitlab.labs.nic.cz/knot/knot-resolver/commit/d7d7cae5a3.patch

Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v1.3.3/NEWS

Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.3.3.tar.xz

GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-1.3.3.tar.xz.asc

Documentation:
http://knot-resolver.readthedocs.io/en/v1.3.3/

--Vladimir



More information about the knot-dns-users mailing list