Commits on Feb 27, 2024

1. resolved: limit the number of signature validations in a transaction …

   It has been demonstrated that tolerating an unbounded number of dnssec
   signature validations is a bad idea. It is easy for a maliciously
   crafted DNS reply to contain as many keytag collisions as desired,
   causing us to iterate every dnskey and signature combination in vain.
   
   The solution is to impose a maximum number of validations we will
   tolerate. While collisions are not hard to craft, I still expect they
   are unlikely in the wild so it should be safe to pick fairly small
   values.
   
   Here two limits are imposed: one on the maximum number of invalid
   signatures encountered per rrset, and another on the total number of
   validations performed per transaction.
   
   (cherry picked from commit 67d0ce8843d612a2245d0966197d4f528b911b66)
   
   Resolves: RHEL-26644

   

   jacekmigacz committed Feb 27, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 811c030
   • Browse repository at this point

   Copy the full SHA

   811c030 View commit details

   Browse the repository at this point in the history

2. resolved: reduce the maximum nsec3 iterations to 100 …

   According to RFC9267, the 2500 value is not helpful, and in fact it can
   be harmful to permit a large number of iterations. Combined with limits
   on the number of signature validations, I expect this will mitigate the
   impact of maliciously crafted domains designed to cause excessive
   cryptographic work.
   
   (cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb)
   
   Related: RHEL-26644

   

   jacekmigacz committed Feb 27, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 9597b18
   • Browse repository at this point

   Copy the full SHA

   9597b18 View commit details

   Browse the repository at this point in the history