From: Vladimír Čunát Date: Tue, 13 Feb 2024 12:12:41 +0000 (+0100) Subject: Merge branch 'master' into dos-feb13-6.0 X-Git-Tag: v6.0.6^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-develop-dos-hama3x%2Fdeployments%2F3237;p=thirdparty%2Fknot-resolver.git Merge branch 'master' into dos-feb13-6.0 There were some nontrivial conflicts to resolve, NEWS + the line ctx->vld_limit_crypto = KR_VLD_LIMIT_CRYPTO_DEFAULT; (I had this resolution prepared for a long time.) --- fb08513c3cd96186d35ca3f591c111423fd6fe23 diff --cc NEWS index f4d640322,dd8137abf..341792fec --- a/NEWS +++ b/NEWS @@@ -1,31 -1,23 +1,48 @@@ +Knot Resolver 6.0.6 (2024-0m-dd) +================================ + +Improvements +------------ +- tweak the default run_dir on non-Linux (!1481) + + +Knot Resolver 6.0.5 (2024-01-09) +================================ + +6.0.x are "early access" versions, +not generally recommended for production use. + +6.0 contains biggest changes in the history of Knot Resolver releases. +You will have to rewrite your configuration. See documentation, in particular: +https://knot.pages.nic.cz/knot-resolver/upgrading-to-6.html + + + + +5.x branch longterm support +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + - Knot Resolver 5.x.y (202y-mm-dd) + Knot Resolver 5.7.1 (2024-02-13) ================================ + Security + -------- + - CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU + * validator: lower the NSEC3 iteration limit (150 -> 50) + * validator: similarly also limit excessive NSEC3 salt length + * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache + * validator: limit the amount of work on SHA1 in NSEC3 proofs + * validator: refuse to validate answers with more than 8 NSEC3 records + + - CVE-2023-50387 "KeyTrap": DNSSEC verification complexity + could be exploited to exhaust CPU resources and stall DNS resolvers. + Solution boils down mainly to limiting crypto-validations per packet. + + We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner + from the German National Research Center for Applied Cybersecurity ATHENE + for bringing this vulnerability to our attention. + Improvements ------------ - update addresses of B.root-servers.net (!1478) diff --cc lib/resolve.c index e9b118c59,e24a40b9c..e8a634896 --- a/lib/resolve.c +++ b/lib/resolve.c @@@ -473,52 -658,6 +473,53 @@@ static int query_finalize(struct kr_req return kr_ok(); } +int kr_resolver_init(module_array_t *modules, knot_mm_t *pool) +{ + the_resolver = &the_resolver_value; + + /* Default options (request flags). */ + the_resolver->options.REORDER_RR = true; ++ the_resolver->vld_limit_crypto = KR_VLD_LIMIT_CRYPTO_DEFAULT; + + /* Open resolution context */ + the_resolver->trust_anchors = trie_create(NULL); + the_resolver->negative_anchors = trie_create(NULL); + the_resolver->pool = pool; + the_resolver->modules = modules; + the_resolver->cache_rtt_tout_retry_interval = KR_NS_TIMEOUT_RETRY_INTERVAL; + /* Create OPT RR */ + the_resolver->downstream_opt_rr = mm_alloc(pool, sizeof(knot_rrset_t)); + the_resolver->upstream_opt_rr = mm_alloc(pool, sizeof(knot_rrset_t)); + if (!the_resolver->downstream_opt_rr || !the_resolver->upstream_opt_rr) { + return kr_error(ENOMEM); + } + knot_edns_init(the_resolver->downstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, pool); + knot_edns_init(the_resolver->upstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, pool); + /* Use default TLS padding */ + the_resolver->tls_padding = -1; + /* Empty init; filled via ./lua/postconfig.lua */ + kr_zonecut_init(&the_resolver->root_hints, (const uint8_t *)"", pool); + lru_create(&the_resolver->cache_cookie, LRU_COOKIES_SIZE, NULL, NULL); + + return kr_ok(); +} + +void kr_resolver_deinit(void) +{ + kr_zonecut_deinit(&the_resolver->root_hints); + kr_cache_close(&the_resolver->cache); + + /* The LRUs are currently malloc-ated and need to be freed. */ + lru_free(the_resolver->cache_cookie); + + kr_ta_clear(the_resolver->trust_anchors); + trie_free(the_resolver->trust_anchors); + kr_ta_clear(the_resolver->negative_anchors); + trie_free(the_resolver->negative_anchors); + + the_resolver = NULL; +} + int kr_resolve_begin(struct kr_request *request, struct kr_context *ctx) { /* Initialize request */