update NEWS with KeyTrap

author Vladimír Čunát <vladimir.cunat@nic.cz>

Mon, 1 Jan 2024 15:25:05 +0000 (16:25 +0100)

committer Vladimír Čunát <vladimir.cunat@nic.cz>

Tue, 13 Feb 2024 08:49:54 +0000 (09:49 +0100)
author Vladimír Čunát <vladimir.cunat@nic.cz>
Mon, 1 Jan 2024 15:25:05 +0000 (16:25 +0100)
committer Vladimír Čunát <vladimir.cunat@nic.cz>
Tue, 13 Feb 2024 08:49:54 +0000 (09:49 +0100)
diff --git a/NEWS b/NEWS

index 6b02cdfbb44e2c69044253d4b416f095148b0257..dd8137abf0a08e82b1e182315d65fa04a2e25b74 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,14 @@ Security
    * validator: limit the amount of work on SHA1 in NSEC3 proofs
    * validator: refuse to validate answers with more than 8 NSEC3 records
  
+- CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
+  could be exploited to exhaust CPU resources and stall DNS resolvers.
+  Solution boils down mainly to limiting crypto-validations per packet.
+
+  We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner
+  from the German National Research Center for Applied Cybersecurity ATHENE
+  for bringing this vulnerability to our attention.
+
  Improvements
  ------------
  - update addresses of B.root-servers.net (!1478)
author	Vladimír Čunát <vladimir.cunat@nic.cz>
	Mon, 1 Jan 2024 15:25:05 +0000 (16:25 +0100)
committer	Vladimír Čunát <vladimir.cunat@nic.cz>
	Tue, 13 Feb 2024 08:49:54 +0000 (09:49 +0100)