Unbound 1.19.1 released

[Wouter Wijngaards]

Hi,

Unbound 1.19.1 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.19.1.tar.gz
sha256 bc1d576f3dd846a0739adc41ffaa702404c6767d2b6082deb9f2f97cbb24a3a9
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.19.1.tar.gz.asc

This security release fixes two DNSSEC validation vulnerabilities:
CVE-2023-50387 (referred here as the KeyTrap vulnerability) and
CVE-2023-50868 (referred here as the NSEC3 vulnerability).

The KeyTrap vulnerability works by using a combination of Keys (also 
colliding Keys), Signatures and number of RRSETs on a malicious zone.
Answers from that zone can force a DNSSEC validator down a very CPU 
intensive and time costly validation path.

The NSEC3 vulnerability uses specially crafted responses on a malicious 
zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very 
CPU intensive and time costly NSEC3 hash calculation path.

Both can force Unbound to spend an enormous time (comparative to regular
traffic) validating a single specially crafted DNSSEC response while 
everything else is on hold for that thread. A trivially orchestrated 
attack could render all threads busy with such responses leading to 
denial of service.

 From version 1.19.1 on, Unbound introduces suspension on DNSSEC response
validations that seem to require more attempts than Unbound is willing 
to make per response validation run. Suspension means that Unbound will 
continue with other work before resuming a suspended validation offering 
CPU time between validation resumptions to other tasks. There is a 
backoff timer when suspending which is further influenced by the number 
of suspends already used and the amount of work currently in Unbound.

The introduced builtin limits in Unbound are:

- Max 4 DNSSEC key collissions are allowed when building chain of trust.
   More than that without a secure key treats the delegation as bogus.
- 8 validation attempts per RRSET (combination of keys + signatures).
   If more are needed and Unbound has yet to find a valid signature
   the RRSET is treated as bogus.
- More than 8 validation attempts per answer will suspend validation.
- 8 NSEC3 hash calculations are allowed before suspension. More than
   that will suspend validation.
- The limit of total suspensions is 16 after which the query will error
   out. Any completed RRSET validations populate the cache for use in
   future queries.

While under attack Unbound could show higher CPU load because of the 
needed validations but the suspend strategy would guarantee the CPU is 
not locked on any particular validation task.

We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and 
Michael Waidner from the German National Research Center for Applied 
Cybersecurity ATHENE for discovering and responsibly disclosing the 
KeyTrap vulnerability.

We would like to thank Petr Špaček from ISC for discovering and 
responsibly disclosing the NSEC3 vulnerability.

Bug Fixes
- Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to
   exhaust CPU resources and stall DNS resolvers.
- Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

Best regards, Wouter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20240213/bd52061c/attachment.bin>