Search
224 results for “nlnetlabs”
-
We have a canary build of our @nlnetlabs #unbound #docker image with #quic support available for testing, yay! 💚
➡️ madnuttah/unbound:canary-quic ⬅️
https://github.com/madnuttah/unbound-docker/
https://hub.docker.com/r/madnuttah/unbound
#selfhosting #homelab #opensource #foss #dnssec #doq #dnsoverquic #quictls #distroless
-
We have a canary build of our @nlnetlabs #unbound #docker image with #quic support available for testing, yay! 💚
➡️ madnuttah/unbound:canary-quic ⬅️
https://github.com/madnuttah/unbound-docker/
https://hub.docker.com/r/madnuttah/unbound
#selfhosting #homelab #opensource #foss #dnssec #doq #dnsoverquic #quictls #distroless
-
A new release (1.17.1-4) of my @nlnetlabs #unbound #docker image has been pushed to #docker hub, the topic is repoducibility and, of course, more security. I've reduced the attack surface a bit more and optimized the dockerfiles a little. Enjoy!
https://github.com/madnuttah/unbound-docker
https://github.com/madnuttah/unbound-docker/releases/tag/v1.17.1-4
-
My @nlnetlabs #unbound #dns #resolver #docker image was updated with #OpenSSL 3.1.0 and #Alpine 3.17.2 yesterday, the version reads 1.17.1-3 (Revision 3). Stay safe! 💚
-
Wasn't too much work, so the #OpenSSL build environment got implemented into my @nlnetlabs #unbound #docker image already. You had my promise. The initial build was manual but it should run as an #automatedBuild too.
The first madnuttah/unbound-docker #distroless build (v1.19.3-1) with the per architecture optimized libraries is available on #dockerHub. 💚
https://github.com/madnuttah/unbound-docker
-
@lexinova @nlnetlabs @nextcloud @terts
I wrote once a blog about #GitLab, #GitHub, and #Forgejo (#codeberg). What to choose?
It is in Dutch, but I'm pretty sure your browser can translate it for you:
https://developer.overheid.nl/blog/2025/11/11/git-forge-overheid
It is a recommendation for a #GitForge for the Dutch #government.
Part of the conclusion:
In summary, from the point of view of digital sovereignty and digital autonomy is a self-hosted Forgejo the best choice for the government. -
With #DNSoverQUIC released in Unbound 1.22.0, we turn our attention to finalizing the review to deploy Fast Reload. As the name suggests it allows reloading the #DNS resolver configuration with no noticeable interruption of the service. #OpenSource #DoQ #QUIC https://github.com/NLnetLabs/unbound/pull/1042
-
It's been a long road, but we're happy that #DNS over #QUIC is now merged into the main branch of Unbound resolver. We’re now preparing a release. #DoQ #OpenSource https://github.com/NLnetLabs/unbound/pull/871
-
Since last November, we've been quite busy with security releases for Unbound. Now, with this latest bug fix release out the door, our aim is to get some features released we've been preparing, such as DNS-over-QUIC and upstream #DNS cookies. 🍪🍪 #DoQ https://github.com/NLnetLabs/unbound/milestone/3
-
Thanks to @jpmens we now have documentation for Cascade describing how to integrate with a Nitrokey NetHSM to store your DNSSEC keys.
Thanks a lot! 🧡
-
@jpmens @bortzmeyer @themozzie @terts @bal4e
ReStructuredText and particularly ‘intersphinx’ shenanigans will be the end of me.
For now I prevailed, with links from the Cascade docs to the brand new kmip2pkcs11 manpages for setting up your HSM.
-
We have a retired SafeNet Luna 4 #HSM in the office for testing our Nameshed HSM code, but we're having a bit of a hard time obtaining a PKCS#11 Linux library / SDK for it.
(Plan B would be someone giving us testing access to their Thales Luna)
Is there anyone who can help @ximon18 out? Sharing is caring. 💚 #DNS #DNSSEC #OpenSource
-
As announced at #RIPE86, the RIPE NCC #RPKI Publication Service is now in production and proving quite popular. 167 CAs are now active, publishing 2100 ROAs, resulting in 3671 VRPs. It’s easy to set this up, and will allow you to sub-delegate resources, do #ASPA, as well as #BGPsec. https://blog.nlnetlabs.nl/running-krill-under-ripe-ncc/
-
Perfectly timed for all the #RoutingSecurity discussions at #RIPE86, we’re proud to launch Krill 0.13. This release introduces production grade #ASPA support in addition to #BGPsec. It also adds a full #RPKI Trust Anchor support, enabling RIRs to run Krill as their root CA solution. https://github.com/NLnetLabs/krill/releases/tag/v0.13.0
-
Our #BGP #routing team will be available at #RIPE86 as well:
🛰️ Excited by our #OpenSource modular #BGP toolkit Rotonda? It's written in #rustlang too, making it insanely fast while providing #MemorySafety. Talk to @jasper, Luuk or Ximon about our imminent launch.
🦐 Meanwhile, we’ve been cooking up #ASPA support to compliment #BGPsec in Krill, our #RPKI CA software. Tim can tell you all about it, along with our future plans. -
Krill 0.10.0 is now available, featuring support for #BGPSec Router Certificate Signing and the use of Hardware Security Modules (HSMs) for key operations. #RPKI https://github.com/NLnetLabs/krill/releases/tag/v0.10.0
-
CW: New multi-implementation DNSSEC validation DoS vulnerabilities - CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)
(living doc, updated regularly - if you prefer a low-edit post to boost, use https://infosec.exchange/@tychotithonus/111926621712441626)
Looks like DNS-OARC coordinated fixes in advance, but no centralized analysis at first other than the announcement from the team who discovered KeyTrap:
Press release: https://www.athene-center.de/en/news/press/key-trap
Technical paper (released 2/15): https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
DNS-OARC dns-ops announcement: https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html
RIPE blog post by one of the authors: https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/
Apparently builds on this 2019 vulnerability (h/t letoams @defcon.social):
https://
essay.utwente.nl/78777/
Details may be still partially embargoed until patching ramps up.
Analysis:
DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.
"In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)
Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).
Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)
Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.
Details:
Two DNSSEC DoS CVEs:
CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
https://seclists.org/oss-sec/2024/q1/125(KeyTrap was discovered by ATHENE - their press release here has very important detail:
https://www.athene-center.de/en/news/press/key-trap)CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HMITRE links (now populated):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868Vulmon queries:
https://vulmon.com/searchpage?q=CVE-2023-50387
https://vulmon.com/searchpage?q=CVE-2023-50868VulDB:
https://vuldb.com/?id.253829Resolver status:
BIND (patched - vuln since 2000?):
https://fosstodon.org/@iscdotorg/111924416653890048
https://kb.isc.org/docs/cve-2023-50387
https://kb.isc.org/docs/cve-2023-50868
https://seclists.org/oss-sec/2024/q1/125
https://www.isc.org/blogs/2024-bind-security-release/
(note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)BIND tools:
dig: no validation
kdig: no validation
delv: affected, patcheddnsmasq (patched - 2.90 has fix):
https://thekelleys.org.uk/dnsmasq/CHANGELOG
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.htmlKnot (patched in 5.7.1):
https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
(kzonecheck also affected, patched?)ldns-verify-zone:
affected per ATHENE paperOPNsense (patched):
https://forum.opnsense.org/index.php?topic=38939.msg190655#pfSense:
(Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package)
https://forum.netgate.com/topic/186145/unbound-cve-2023-50387-and-cve-2023-50868/1
https://redmine.pfsense.org/issues/15256Pi-Hole (uses dnsmasq - patch available)
https://www.patreon.com/posts/dnssec-fix-98498055
https://pi-hole.net/blog/2024/02/13/fixing-two-new-dnssec-vulnerabilities/PowerDNS (patched - all versions affected):
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released
https://github.com/PowerDNS/pdns/pull/13781
https://github.com/PowerDNS/pdns/pull/13784
https://seclists.org/oss-sec/2024/q1/130Stubby:
[?]
https://github.com/getdnsapi/stubbysystemd.resolved:
[?]Ubiquiti
[?]Unbound (patched - vuln since Aug 2007):
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt
https://seclists.org/oss-sec/2024/q1/126Library status:*
dnspython (GitHub patched):
affected per ATHENE paper
https://github.com/rthalley/dnspython/commit/a1a998938b7370dae41784f8bc0a841dc2addba9getdns (used by stubby - no patched release?):
affected per ATHENE paper
https://getdnsapi.net/releases/ldns (not yet patched?):
affected per ATHENE paper
https://github.com/NLnetLabs/ldnslibunbound (used by Unbound):
affected per ATHENE paper
no recent patches?
https://github.com/NLnetLabs/unbound/tree/master/libunboundCloud status:
Akamai:
https://www.akamai.com/blog/security/dns-exploit-keytrap-posed-major-internet-threatCloudflare:
https://blog.cloudflare.com/remediating-new-dnssec-resource-exhaustion-vulnerabilitiesGoogle DNS:
(stated as patched in Register and SecurityWeek articles)
[?]NextDNS (patched per forum reply):
https://help.nextdns.io/t/h7yxwc5/does-dnssec-security-hole-keytrap-cve-2023-50387-affect-nextdnsOS status:
Debian:
BIND:
https://lists.debian.org/debian-security-announce/2024/msg00028.html
pdns-recursor:
https://lists.debian.org/debian-security-announce/2024/msg00033.html
Unbound:
https://lists.debian.org/debian-security-announce/2024/msg00027.htmlFedora:
https://bodhi.fedoraproject.org/updates/FEDORA-2024-e24211eff0FreeBSD:
https://cgit.freebsd.org/ports/commit/?id=58e048cad653819eebf91af5840e4b00f155bb1bGentoo:
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2023-50387Mageia:
https://bugs.mageia.org/show_bug.cgi?id=32846OpenBSD (unwind):
Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-50387
https://access.redhat.com/security/cve/CVE-2023-50387
https://access.redhat.com/security/cve/CVE-2023-50868SUSE:
https://www.suse.com/security/cve/CVE-2023-50387.html
https://bugzilla.suse.com/show_bug.cgi?id=1219823Ubuntu:
https://ubuntu.com/security/CVE-2023-50387
https://ubuntu.com/security/CVE-2023-50868
https://ubuntu.com/security/notices/USN-6633-1Windows (Server, DNS Role):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387Package status:
BIND:
https://repology.org/project/bind/versionsdnsmasq:
https://repology.org/project/dnsmasq/versionsUnbound:
https://repology.org/project/unbound/versionsGitHub:
https://github.com/advisories/GHSA-8459-gg55-8qjjGo (Knot module?)
https://github.com/golang/vulndb/issues/2552Non-coverage: (no mentions known yet)
AWS :
[?]Azure (Microsoft Server DNS?):
[?]Cisco Umbrella:
https://umbrella.cisco.com/blog [?]CoreDNS:
https://coredns.io/blog/ [?]Infoblox:
https://blogs.infoblox.com/ [?]Quad9 DNS:
https://www.quad9.net/news/blog/ [?]News/Press/Forums
https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plain-words/
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
https://news.ycombinator.com/item?id=39372384
https://www.darkreading.com/cloud-security/keytrap-dns-bug-threatens-widespread-internet-outages
Detection/Validation:
Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):
# zone signed, server DNSSEC-enabled:
$ delv example.net @8.8.8.8
; fully validated
example.net. 4437 IN A 93.184.216.34
example.net. 4437 IN RRSIG A 13 2 86400 20240225232039 20240204162038 18113 example.net. 94G2PRXins1G9ntfklvCq2mvcgqjB0z9FqQXp77lD/wXR4J3D67ceih1 yNgsYYqlIAOoWKXUekux6Zq9aIwszQ==
# zone unsigned, server DNSSEC-enabled:
$ delv google.com @8.8.8.8
; unsigned answer
google.com. 100 IN A 142.250.69.206Tenable:
https://www.tenable.com/plugins/pipeline/issues/165587Snyk:
https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245755Exploits:
(multiple sources describe as "trivial")
https://github.com/knqyf263/CVE-2023-50387 (not tested)
#keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
#dns #dnssec -
Our #DNS `domain` crate for #rustlang is progressing in three parallel tracks: Ximon's #XFR Zone transfers with #TSIG is nearing completion, a proof of concept for query routing by Philip is ready for review so he can turn his attention to the #DNSSEC signing milestone, and Terts and Jannik have kicked off reimplementing the `ldns` tools and example programs in #Rust.
All development is #OpenSource and in the open you can follow the progress and contribute: https://github.com/NLnetLabs/domain/pulls
-
When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375 -
I'm obsessed with good #documentation and the Routinator user manual on #ReadTheDocs is my pride and joy.
We worked very hard to seamlessly integrate the manual page into it as well, allowing us to automatically link command line options, but we also wanted it to be the canonical source for building the the manpage with rst2man. This saves us from keeping content in sync and messing with troff(1).
https://github.com/NLnetLabs/routinator/blob/main/doc/manual/source/manual-page.rst
#WriteTheDocs #TechnicalWriting #TechnicalDocumentation #OpenSource
-
Thanks to the @Nominet DNS Fund, we have been able to dedicate a team of five developers on building Cascade, our new #OpenSource #DNSSEC signing solution.
Leading up a first production release in June, @ximon18 will be presenting on our progress at the @dnsoarc 46 workshop in Edinburgh in May.
Highlights will include new incremental signing and IXFR-out, performance/resource usage improvements, TSIG support, metrics, migration tooling, and more...
-
We've released Rotonda 0.5.2, our BMP/BGP route collector, bringing back the web UI in totally revamped fashion. It's still simplistic, by design, but now offers a lot more insight in both the actual routes as well as session information.
As the UI is still evolving, we are gathering feedback. please chime in with anything that comes to mind:
https://community.nlnetlabs.nl/t/web-ui-feedback-ideas/85https://github.com/NLnetLabs/rotonda/releases/tag/v0.5.2
#BGP #BMP #RustLang -
When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375 -
When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375 -
When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375 -
When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375 -
We are thrilled to announce the release of version 0.10.2 of domain, our #OpenSOurce #rustlang library that provides essential building blocks for working with #DNS. This latest version introduces several new features, including a #DNSSEC validator, #XFR zone transfers, client and server transport, TSIG request signing and response validation, and much more. For more information, please visit our GitHub repository: https://github.com/NLnetLabs/domain/releases/tag/v0.10.2