[Dnsmasq-discuss] Announce: dnsmasq-2.90.

Simon Kelley simon at thekelleys.org.uk
Tue Feb 13 15:48:16 UTC 2024 

I've just released 2.90.

The motivation for this a security announcement today of an attack known 
as keytrap, which is a generic attack on all DNSSEC validators - it's a 
failure of the specification rather than of the implementations. If 
DNSSEC validation is enabled, then an attacker who can force a DNS 
server to validate a specially crafted signed domain can use a lot of 
CPU in the validator. This only affects dnsmasq installations with 
DNSSEC enabled.

The solution for dnsmasq is to impose hard limits on a few measures of 
the amount of "work" a DNSSEC validation is taking. The new code 
remembers how close to the limits it has come, and will log that 
information when it receives a SIGUSR1. The default limits have been set 
with significant headroom over the maximums that have been achieved in 
my testing, but the only testing has been done by me, because of embargo 
on the security disclosure. In the event that I've set the limits too 
small, there is a new option that allows them to be overridden. Hitting 
the limits logs an error message.

The security cases which refer to this are CVE-2023-50387 and 
CVE-2023-50868.

I'm aware both that a release is well overdue, and that there are 
outstanding patches and issues which I'd hoped to get to before making a 
release and thus far failed to do so. The security issue has forced my 
hand, so we do at least now have a release. I'll continue working in the 
backlog.

The security fixes are conceptually complex, but they ended up touching 
a lot of code, so backporting them is going to be difficult. I'd 
encourage anyone who can to upgrade rather than backporting.

CHANGELOG below, for reference.

Cheers,

Simon.




version 2.90
         Fix reversion in --rev-server introduced in 2.88 which
         caused breakage if the prefix length is not exactly divisible
         by 8 (IPv4) or 4 (IPv6).

         Fix possible SEGV when there server(s) for a particular
         domain are configured, but no server which is not qualified
         for a particular domain. Thanks to Daniel Danzberger for
         spotting this bug.

         Set the default maximum DNS UDP packet sice to 1232. This
         has been the recommended value since 2020 because it's the
         largest value that avoid fragmentation, and fragmentation
         is just not reliable on the modern internet, especially
         for IPv6. It's still possible to override this with
         --edns-packet-max for special circumstances.

         Add --no-dhcpv4-interface and --no-dhcpv6-interface for
         better control over which inetrfaces are providing DHCP service.

         Fix issue with stale caching: After replying with stale data,
         dnsmasq sends the query upstream to refresh the cache
	asynchronously and sometimes sends the wrong packet: packet
	length can be wrong,
	and if an EDE marking stale data is added to the answer that can
        	end up in the query also. This bug only seems to cause problems
         when the upstream server is a DOH/DOT proxy. Thanks to Justin He
         for the bug report.

         Add configurable caching for arbitrary RR-types.

         Add --filter-rr option, to filter arbitrary RR-types.
         --filter-rr=ANY has a special meaning: it filters the
         answers to queries for the ANY RR-type.

         Add limits on the resources used to do DNSSEC validation.
         DNSSEC introduces a potential CPU DoS, because a crafted domain
         can force a validator to a large number of cryptographic
         operations whilst attempting to do validation. When using TCP
	transport a DNSKEY RRset contain thousands of members and any
         RRset can have thousands of signatures. The potential number
         of signature validations to follow the RFC for validation
         for one RRset is the cross product of the keys and signatures,
         so millions. In practice, the actual numbers are much lower,
         so attacks can be mitigated by limiting the amount of
         cryptographic "work" to a much lower amount. The actual
         limits are number a signature validation fails per RRset(20),
         number of signature validations and hash computations
        	per query(200), number of sub-queries  to fetch  DS and DNSKEY
         RRsets per query(40), and the number of iterations in a
         NSEC3 record(150). These values are sensible, but there is, as 	
	yet, no standardisation on the values for a "conforming" domain,
	so a new option --dnssec-limit is provided should they need to 	
	be altered. The algorithm to validate DS records has also been
	altered to reduce the maximum work from cross product of the
	number of DS records and number of DNSKEYs to the cross product
	of the number of DS records and supported DS digest types. As
	the number of DS digest types is in single figures, this reduces
	the exposure.

         Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
         and Michael Waidner from the German National Research Center for
         Applied Cybersecurity ATHENE for finding this vulnerability.

         CVE 2023-50387 and CVE 2023-50868 apply.
         Note that this is a security vulnerablity only when DNSSEC
	validationis enabled.

More information about the Dnsmasq-discuss mailing list