-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(RHEL-26643) resolved: limit the number of signature validations in a transaction #237
(RHEL-26643) resolved: limit the number of signature validations in a transaction #237
Conversation
Commit validationTracker - RHEL-26643 The following commits meet all requirements
Tracker validationSuccess🟢 Tracker RHEL-26643 has set desired product: Pull Request validationSuccess🟢 CI - All checks have passed Auto MergeSuccess🟢 Pull Request is not marked as draft and it's not blocked by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jacekmigacz We usually don't reference merge commits. Please reference the following upstream commits instead:
It has been demonstrated that tolerating an unbounded number of dnssec signature validations is a bad idea. It is easy for a maliciously crafted DNS reply to contain as many keytag collisions as desired, causing us to iterate every dnskey and signature combination in vain. The solution is to impose a maximum number of validations we will tolerate. While collisions are not hard to craft, I still expect they are unlikely in the wild so it should be safe to pick fairly small values. Here two limits are imposed: one on the maximum number of invalid signatures encountered per rrset, and another on the total number of validations performed per transaction. (cherry picked from commit 67d0ce8) Resolves: RHEL-26643
According to RFC9267, the 2500 value is not helpful, and in fact it can be harmful to permit a large number of iterations. Combined with limits on the number of signature validations, I expect this will mitigate the impact of maliciously crafted domains designed to cause excessive cryptographic work. (cherry picked from commit eba2911) Related: RHEL-26643
114576d
to
161312e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
No description provided.