Skip to content

v1.7.2

Latest

Choose a tag to compare

@semihalev semihalev released this 25 Jun 22:19
5c33725

A DNSSEC correctness release. Recommended for all validating deployments.

DNSSEC

  • Validate insecure delegations served without a referral. When one server is authoritative for both a signed parent and an unsigned child delegated from it (e.g. tr.+ns.tr., comcast.net+tx.comcast.net), it answers the child name authoritatively — no referral is crossed. v1.7.1 mis-attributed the answer to the signed parent and SERVFAIL'd the child's legitimately-unsigned records, breaking every signed zone whose nameservers live in an unsigned in-bailiwick subzone (e.g. the whole .tr TLD intermittently lost validation). Such data is now accepted as insecure only when cryptographically proven — an authenticated DS, or an exact NSEC3/NSEC delegation proof (NS set, DS/SOA clear; opt-out rejected for the no-referral case). The DS authentication is fail-closed and downgrade-safe: the DS lookup is validated explicitly before any conclusion, and a forged unsigned DS (even with an unsupported algorithm) cannot downgrade a signed child. (#501)
  • Clear the AD bit for CD=1 clients (RFC 4035 §3.2.3 / RFC 6840 §5.7). A client that sets CD=1 has opted out of trusting the resolver's validation, so AD must never be asserted to it — including an upstream's bit passed through by the forwarder. (#501)

Internal

  • Own DNS exchange library (internal/dnsclient) replacing the vendored miekg client copy — UDP/TCP, DoT, and DoH — with the resolver and forwarder client paths trimmed accordingly. (#500)

Full changelog: v1.7.1...v1.7.2