a heap use-after-free. That could happen if at least two
distinct classes are configured for resolution. Thanks
to Qifan Zhang, Palo Alto Networks for the report.
In addition, thanks to Xin Wang, Jiapeng Li, and Jiajia
Liu, Northwestern Polytechnical University, for also
reporting this.
DNSSEC validated, when DNSSEC is enabled. This improves
the RFC6147 conformance of Unbound. Thanks to Xin Wang
and Jiajia Liu, Northwestern Polytechnical University, for
the report. In addition, thanks to Qifan Zhang, Palo Alto
Networks, for reporting it.
An improper wildcard in the chain of trust would send
the retries to the wrong upstream. Also it could label
the step in the chain of trust as secure, when it was not.
Thanks to Qifan Zhang, Palo Alto Networks for the report.
the correct match. This stops that for certain zone
configurations an unchecked unsigned CNAME could get
secure status. Thanks to Qifan Zhang, Palo Alto Networks
for the report.
connections for a different name, at the same IP. This
checks that the tls name is correct when reusing the
upstream connections. Thanks to TaoFei Guo from Peking
University and JianJun Chen from Tsinghua University for
the report.
that the server only accepts YXDOMAIN answers that contain
a DNAME record. This stops bad answers, and checks that
the authoritative server gives correct replies.
Thanks to Qifan Zhang, Palo Alto Networks for the report.
with errors for error cases, and does not stay silent.
In addition, the error replies do not contain parts of the
incoming query. This is more conformant, stops reflection
and stops it as a covert channel. Thanks to Yuqi Qiu and
Xiang Li, Nankai University (AOSP Lab) for the report.
In addition, thanks to Qifan Zhang, Palo Alto Networks, for
noting the fingerprinting possibility, that is also fixed
with this.
an overly large number of RRSIGs. It can be configured with
`iter-scrub-rrsig: 8`, it has default 8. Thanks to Yuxiao Wu,
Tsinghua University for the report.
the global cache after a failed lookup, such as timeouts. A failure
entry is stored in the subnet cache, for the query name, for a
couple of seconds. Queries can continue to use the subnet cache
during that time.
Thanks to Kunta Chu, School of Software, Tsinghua University,
Taofei Guo, Peking University, and Jianjun Chen, Institute for
Network Sciences and Cyberspace, Tsinghua University for the
report. The private-address option is fixed to also elide
SVCB and HTTPS records that match the filter.
* Allow synthesized DNAME TTL=0 to be served from cache within grace period
Addresses doc/TODO: cache TTL=0 packets properly for synthesis.
- rrset_cache_lookup: allow TTL=0 DNAME within 1s grace for synthesis
- synth_dname_msg: support PACKED_RRSET_UPSTREAM_0TTL, return TTL=0 to client
Reduces recursion when authoritative servers return DNAME with TTL=0 (RFC 2308).
Client response still correctly returns TTL=0.
Note: Test with proper TTL=0 DNSSEC RRSIGs omitted - requires ldns-signzone
to generate valid signatures for TTL=0 RRsets.
* Add iter_dname_ttl0.rpl replay test for DNAME TTL=0
Tests signed DNAME with TTL=0 and RRSIG Original TTL=0 (RFC 4034).
Verifies end-to-end handling of TTL=0 DNAME responses.
requests are passed. The edns subnet module checks if validation
is needed for a cache response, and set the validator to protect
the cache with validation for non-subnet lookups.
subquery without subnet, and the forward-no-cache or
stub-no-cache option is set, it is not stored in cache due to
the forward or stub option.
This has the changelog entry and test.
to include YXDOMAIN and non-referral nodata answers in the mitigation as
well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun
Chen from Tsinghua University.
same time, the client info is copied for attach_sub and add_sub
calls. That makes respip work on dns64 synthesized answers, and
also makes RPZ work with DNS64. The order for the modules is
module-config: "respip dns64 validator iterator".
