Posted
about 1 month
ago
Security
CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU
validator: lower the NSEC3 iteration limit (150 -> 50)
validator: similarly also limit excessive NSEC3 salt length
cache: limit the amount of …
|
Posted
7 months
ago
Security
avoid excessive TCP reconnections in a few more cases
Like before, the remote server had to behave nonsensically in order
to inflict this upon itself, but it might be …
|
Posted
about 1 year
ago
Security
avoid excessive TCP reconnections in some cases (!1380)
For example, a DNS server that just closes connections without answer
could cause lots of work for the resolver (and itself …
|
Posted
over 1 year
ago
Security
fix CPU-expensive DoS by malicious domains - CVE-2022-40188
Improvements
fix config_tests on macOS (both HW variants)
|
Posted
over 1 year
ago
Improvements
support libknot 3.2 (!1309)
priming module: hide failures from the default log level (!1310)
reduce memory usage in some cases (!1328)
Bugfixes
daemon/http: improve URI checks to …
|
Posted
almost 2 years
ago
Improvements
daemon/tls: disable TLS resumption via tickets for TLS <= 1.2 (#742, !1295)
daemon/http: DoH now responds with proper HTTP codes (#728, !1279)
renumber module: allow rewriting subnet …
|
Posted
about 2 years
ago
Improvements
extended_errors: module for extended DNS error support, RFC8914 (!1234)
policy: log policy actions; useful for RPZ debugging (!1239)
policy: new action policy.IPTRACE for logging request origin (!1239 …
|
Posted
about 2 years
ago
Bugfixes
fix bad zone cut update in certain cases (e.g. AWS; !1237)
|
Posted
over 2 years
ago
Improvements
lua: add kres.parse_rdata() to parse RDATA from string to wire format (!1233)
lua: add policy.domains() for exact domain name matching (!1228)
Bugfixes
policy.rpz: fix origin …
|
Posted
over 2 years
ago
Improvements
lua: add kres.parse_rdata() to parse RDATA from string to wire format (!1233)
lua: add policy.domains() for exact domain name matching (!1228)
Bugfixes
policy.rpz: fix origin detection …
|