- Knot Resolver 5.x.y (202y-mm-dd)
+Knot Resolver 6.0.6 (2024-0m-dd)
+================================
+
+Improvements
+------------
+- tweak the default run_dir on non-Linux (!1481)
+
+
+Knot Resolver 6.0.5 (2024-01-09)
+================================
+
+6.0.x are "early access" versions,
+not generally recommended for production use.
+
+6.0 contains biggest changes in the history of Knot Resolver releases.
+You will have to rewrite your configuration. See documentation, in particular:
+https://knot.pages.nic.cz/knot-resolver/upgrading-to-6.html
+
+
+
+
+5.x branch longterm support
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+ Knot Resolver 5.7.1 (2024-02-13)
================================
+ Security
+ --------
+ - CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
+ * validator: lower the NSEC3 iteration limit (150 -> 50)
+ * validator: similarly also limit excessive NSEC3 salt length
+ * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache
+ * validator: limit the amount of work on SHA1 in NSEC3 proofs
+ * validator: refuse to validate answers with more than 8 NSEC3 records
+
+ - CVE-2023-50387 "KeyTrap": DNSSEC verification complexity
+ could be exploited to exhaust CPU resources and stall DNS resolvers.
+ Solution boils down mainly to limiting crypto-validations per packet.
+
+ We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner
+ from the German National Research Center for Applied Cybersecurity ATHENE
+ for bringing this vulnerability to our attention.
+
Improvements
------------
- update addresses of B.root-servers.net (!1478)
return kr_ok();
}
+int kr_resolver_init(module_array_t *modules, knot_mm_t *pool)
+{
+ the_resolver = &the_resolver_value;
+
+ /* Default options (request flags). */
+ the_resolver->options.REORDER_RR = true;
++ the_resolver->vld_limit_crypto = KR_VLD_LIMIT_CRYPTO_DEFAULT;
+
+ /* Open resolution context */
+ the_resolver->trust_anchors = trie_create(NULL);
+ the_resolver->negative_anchors = trie_create(NULL);
+ the_resolver->pool = pool;
+ the_resolver->modules = modules;
+ the_resolver->cache_rtt_tout_retry_interval = KR_NS_TIMEOUT_RETRY_INTERVAL;
+ /* Create OPT RR */
+ the_resolver->downstream_opt_rr = mm_alloc(pool, sizeof(knot_rrset_t));
+ the_resolver->upstream_opt_rr = mm_alloc(pool, sizeof(knot_rrset_t));
+ if (!the_resolver->downstream_opt_rr || !the_resolver->upstream_opt_rr) {
+ return kr_error(ENOMEM);
+ }
+ knot_edns_init(the_resolver->downstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, pool);
+ knot_edns_init(the_resolver->upstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, pool);
+ /* Use default TLS padding */
+ the_resolver->tls_padding = -1;
+ /* Empty init; filled via ./lua/postconfig.lua */
+ kr_zonecut_init(&the_resolver->root_hints, (const uint8_t *)"", pool);
+ lru_create(&the_resolver->cache_cookie, LRU_COOKIES_SIZE, NULL, NULL);
+
+ return kr_ok();
+}
+
+void kr_resolver_deinit(void)
+{
+ kr_zonecut_deinit(&the_resolver->root_hints);
+ kr_cache_close(&the_resolver->cache);
+
+ /* The LRUs are currently malloc-ated and need to be freed. */
+ lru_free(the_resolver->cache_cookie);
+
+ kr_ta_clear(the_resolver->trust_anchors);
+ trie_free(the_resolver->trust_anchors);
+ kr_ta_clear(the_resolver->negative_anchors);
+ trie_free(the_resolver->negative_anchors);
+
+ the_resolver = NULL;
+}
+
int kr_resolve_begin(struct kr_request *request, struct kr_context *ctx)
{
/* Initialize request */
projects / thirdparty / knot-resolver.git / commitdiff
