diff options
| author | Vladimír Čunát <vladimir.cunat@nic.cz> | 2023-11-06 19:37:09 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2023-11-06 19:37:09 +0100 |
| commit | a31c0b5a4d4cafea3dc6f2cf0e4cba9e94aca095 (patch) | |
| tree | 9a57ea49a66671d8ecea45ba5c2b1f930305d43f | |
| parent | Merge !1467: doc/upgrading-to-6: nits (diff) | |
| parent | Merge !1470: lib/zonecut.c fetch_addr(): resurrect filtering by NO_IPV* (diff) | |
| download | knot-resolver-a31c0b5a4d4cafea3dc6f2cf0e4cba9e94aca095.tar.xz knot-resolver-a31c0b5a4d4cafea3dc6f2cf0e4cba9e94aca095.zip | |
Merge branch 'master' into 6.0
| -rw-r--r-- | .github/workflows/macOS.yaml | 2 | ||||
| -rw-r--r-- | NEWS | 13 | ||||
| -rwxr-xr-x | ci/gh_actions.py | 9 | ||||
| -rw-r--r-- | lib/zonecut.c | 7 |
4 files changed, 23 insertions, 8 deletions
diff --git a/.github/workflows/macOS.yaml b/.github/workflows/macOS.yaml index 821ee56a..c9970645 100644 --- a/.github/workflows/macOS.yaml +++ b/.github/workflows/macOS.yaml @@ -8,7 +8,7 @@ jobs: runs-on: macOS-latest strategy: matrix: - knot-version: ['3.1', '3.2'] + knot-version: ['3.2', '3.3'] steps: - name: Checkout resolver code @@ -9,16 +9,27 @@ You will have to rewrite your configuration. See documentation, in particular: https://knot.pages.nic.cz/knot-resolver/upgrading-to-6.html + + +Knot Resolver 5.x.y (202y-mm-dd) +================================ + +Bugfixes +-------- +- fix potential SERVFAIL deadlocks if net.ipv6 = false (#880) + + Knot Resolver 5.7.0 (2023-08-22) ================================ Security -------- -- avoid excessive TCP reconnections in a few more cases (!NNNN) +- avoid excessive TCP reconnections in a few more cases (!1448) Like before, the remote server had to behave nonsensically in order to inflict this upon itself, but it might be abusable for DoS. We thank Ivan Jedek from OryxLabs for reporting this. + CVE-2023-46317 got later assigned to this issue. Improvements ------------ diff --git a/ci/gh_actions.py b/ci/gh_actions.py index 8fe05b68..bbeb3b34 100755 --- a/ci/gh_actions.py +++ b/ci/gh_actions.py @@ -30,10 +30,11 @@ while time.time() < end_time: elif response.status_code == 200: data = json.loads(response.content.decode('utf-8')) try: - run = data['workflow_runs'][0] - conclusion = run['conclusion'] - html_url = run['html_url'] - commit_sha = run['head_sha'] + for i in range(0, 1): # two runs ATM + run = data['workflow_runs'][i] + conclusion = run['conclusion'] + html_url = run['html_url'] + commit_sha = run['head_sha'] except (KeyError, IndexError): time.sleep(POLL_DELAY) continue diff --git a/lib/zonecut.c b/lib/zonecut.c index 4ec40367..2bbd26fc 100644 --- a/lib/zonecut.c +++ b/lib/zonecut.c @@ -19,8 +19,7 @@ /** Information for one NS name + address type. */ typedef enum { AI_UNINITED = 0, - AI_REPUT, /**< Don't use this addrset, due to: cache_rep, NO_IPV6, ... - * cache_rep approximates various problems when fetching the RRset. */ + AI_DISABLED, /**< Can't use this addrset. */ AI_CYCLED, /**< Skipped due to cycle detection; see implementation for details. */ AI_LAST_BAD = AI_CYCLED, /** bad states: <= AI_LAST_BAD */ AI_UNKNOWN, /**< Don't know status of this RRset; various reasons. */ @@ -289,9 +288,13 @@ static addrset_info_t fetch_addr(pack_t *addrs, const knot_dname_t *ns, uint16_t int rdlen; switch (rrtype) { case KNOT_RRTYPE_A: + if (qry->flags.NO_IPV4) + return AI_DISABLED; rdlen = 4; break; case KNOT_RRTYPE_AAAA: + if (qry->flags.NO_IPV6 || no6_is_bad()) + return AI_DISABLED; rdlen = 16; break; default: |