home.social

Search

297 results for “nlnetlabs”

  1. Alex Band @[email protected] ·

    As announced at #RIPE86, the RIPE NCC #RPKI Publication Service is now in production and proving quite popular. 167 CAs are now active, publishing 2100 ROAs, resulting in 3671 VRPs. It’s easy to set this up, and will allow you to sub-delegate resources, do #ASPA, as well as #BGPsec. blog.nlnetlabs.nl/running-kril

    #ripe86 #rpki #aspa #bgpsec
  2. Stéphane Bortzmeyer @[email protected] ·

    Good morning, Yokohama! Second day of #IETF116, still at the hackathon.
    Improving #DNS #privacy with #aDoT (authoritative DNS over TLS, encryption to the authoritative name server), work mostly done by @nlnetlabs

    ietf.org/how/runningcode/hacka

    #ietf116 #dns #privacy #adot
  3. Stéphane Bortzmeyer @[email protected] ·

    Good morning, Yokohama! Second day of #IETF116, still at the hackathon.
    Improving #DNS #privacy with #aDoT (authoritative DNS over TLS, encryption to the authoritative name server), work mostly done by @nlnetlabs

    ietf.org/how/runningcode/hacka

    #ietf116 #dns #privacy #adot
  4. Stéphane Bortzmeyer @[email protected] ·

    Good morning, Yokohama! Second day of #IETF116, still at the hackathon.
    Improving #DNS #privacy with #aDoT (authoritative DNS over TLS, encryption to the authoritative name server), work mostly done by @nlnetlabs

    ietf.org/how/runningcode/hacka

    #ietf116 #dns #privacy #adot
  5. Stéphane Bortzmeyer @[email protected] ·

    Good morning, Yokohama! Second day of #IETF116, still at the hackathon.
    Improving #DNS #privacy with #aDoT (authoritative DNS over TLS, encryption to the authoritative name server), work mostly done by @nlnetlabs

    ietf.org/how/runningcode/hacka

    #adot #privacy #dns #ietf116
  6. Stéphane Bortzmeyer @[email protected] ·

    Good morning, Yokohama! Second day of #IETF116, still at the hackathon.
    Improving #DNS #privacy with #aDoT (authoritative DNS over TLS, encryption to the authoritative name server), work mostly done by @nlnetlabs

    ietf.org/how/runningcode/hacka

    #ietf116 #dns #privacy #adot
  7. Alex Band @[email protected] ·

    I'm obsessed with good #documentation and the Routinator user manual on #ReadTheDocs is my pride and joy.

    We worked very hard to seamlessly integrate the manual page into it as well, allowing us to automatically link command line options, but we also wanted it to be the canonical source for building the the manpage with rst2man. This saves us from keeping content in sync and messing with troff(1).

    github.com/NLnetLabs/routinato

    #WriteTheDocs #TechnicalWriting #TechnicalDocumentation #OpenSource

    #opensource #technicaldocumentation #technicalwriting #writethedocs #readthedocs #documentation
  8. Royce Williams @[email protected] ·
    CW: New multi-implementation DNSSEC validation DoS vulnerabilities - CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)

    (living doc, updated regularly - if you prefer a low-edit post to boost, use infosec.exchange/@tychotithonu)

    Looks like DNS-OARC coordinated fixes in advance, but no centralized analysis at first other than the announcement from the team who discovered KeyTrap:

    Details may be still partially embargoed until patching ramps up.

    Analysis:

    DoS of all major DNSSEC-validating DNS resolvers (servers, but also maybe local resolvers like systemd's?) at the implementation level. Exploitation described as 'trivial'. Both are CVSS 7.5. DNS is a rich ransom target - but some resolver setups don't even validate DNSSEC.

    "In 2012 the vulnerability made its way into the implementation requirements for DNSSEC validation, standards RFC 6781 and RFC 6840" (per ATHENE)

    Per the Unbound writeup, both vulns require query to a malicious zone (which is probably not hard to trigger, for any DNSSEC-enabled client or server).

    Resolution: patch (recommended); disable DNSSEC validation (discouraged, but can buy you time / mitigate active DoS)

    Fixes mitigate the exhaustion by putting caps on validation activities. These caps appear to have been missing from most implementations.

    Details:

    Two DNSSEC DoS CVEs:

    CVE-2023-50387 ("KeyTrap"): "DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers" (CVSS 7.5)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    seclists.org/oss-sec/2024/q1/1

    (KeyTrap was discovered by ATHENE - their press release here has very important detail:
    athene-center.de/en/news/press)

    CVE-2023-50868: "NSEC3 closest encloser proof can exhaust CPU" (CVSS 7.5)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    MITRE links (now populated):
    cve.mitre.org/cgi-bin/cvename.
    cve.mitre.org/cgi-bin/cvename.

    Vulmon queries:
    vulmon.com/searchpage?q=CVE-20
    vulmon.com/searchpage?q=CVE-20

    VulDB:
    vuldb.com/?id.253829

    Resolver status:

    BIND (patched - vuln since 2000?):
    fosstodon.org/@iscdotorg/11192
    kb.isc.org/docs/cve-2023-50387
    kb.isc.org/docs/cve-2023-50868
    seclists.org/oss-sec/2024/q1/1
    isc.org/blogs/2024-bind-securi
    (note: posts say "Versions prior to 9.11.37 were not assessed." but also have a range of affected versions starting at 9.0.0 - typo?)

    BIND tools:
    dig: no validation
    kdig: no validation
    delv: affected, patched

    dnsmasq (patched - 2.90 has fix):
    thekelleys.org.uk/dnsmasq/CHAN
    lists.thekelleys.org.uk/piperm

    Knot (patched in 5.7.1):
    knot-resolver.cz/2024-02-13-kn
    (kzonecheck also affected, patched?)

    ldns-verify-zone:
    affected per ATHENE paper

    OPNsense (patched):
    forum.opnsense.org/index.php?t

    pfSense:
    (Bundled Unbound: plan appears to be to make a separate package available for manual update?; BIND: optional package)
    forum.netgate.com/topic/186145
    redmine.pfsense.org/issues/152

    Pi-Hole (uses dnsmasq - patch available)
    patreon.com/posts/dnssec-fix-9
    pi-hole.net/blog/2024/02/13/fi

    PowerDNS (patched - all versions affected):
    blog.powerdns.com/2024/02/13/p
    github.com/PowerDNS/pdns/pull/
    github.com/PowerDNS/pdns/pull/
    seclists.org/oss-sec/2024/q1/1

    Stubby:
    [?]
    github.com/getdnsapi/stubby

    systemd.resolved:
    [?]

    Ubiquiti
    [?]

    Unbound (patched - vuln since Aug 2007):
    nlnetlabs.nl/news/2024/Feb/13/
    nlnetlabs.nl/downloads/unbound
    seclists.org/oss-sec/2024/q1/1

    Library status:*
    dnspython (GitHub patched):
    affected per ATHENE paper
    github.com/rthalley/dnspython/

    getdns (used by stubby - no patched release?):
    affected per ATHENE paper
    getdnsapi.net/releases/

    ldns (not yet patched?):
    affected per ATHENE paper
    github.com/NLnetLabs/ldns

    libunbound (used by Unbound):
    affected per ATHENE paper
    no recent patches?
    github.com/NLnetLabs/unbound/t

    Cloud status:

    Akamai:
    akamai.com/blog/security/dns-e

    Cloudflare:
    blog.cloudflare.com/remediatin

    Google DNS:
    (stated as patched in Register and SecurityWeek articles)
    [?]

    NextDNS (patched per forum reply):
    help.nextdns.io/t/h7yxwc5/does

    OS status:

    Debian:
    BIND:
    lists.debian.org/debian-securi
    pdns-recursor:
    lists.debian.org/debian-securi
    Unbound:
    lists.debian.org/debian-securi

    Fedora:
    bodhi.fedoraproject.org/update

    FreeBSD:
    cgit.freebsd.org/ports/commit/

    Gentoo:
    bugs.gentoo.org/show_bug.cgi?i

    Mageia:
    bugs.mageia.org/show_bug.cgi?i

    OpenBSD (unwind):

    Red Hat:
    bugzilla.redhat.com/show_bug.c
    access.redhat.com/security/cve
    access.redhat.com/security/cve

    SUSE:
    suse.com/security/cve/CVE-2023
    bugzilla.suse.com/show_bug.cgi

    Ubuntu:
    ubuntu.com/security/CVE-2023-5
    ubuntu.com/security/CVE-2023-5
    ubuntu.com/security/notices/US

    Windows (Server, DNS Role):
    msrc.microsoft.com/update-guid

    Package status:

    BIND:
    repology.org/project/bind/vers

    dnsmasq:
    repology.org/project/dnsmasq/v

    Unbound:
    repology.org/project/unbound/v

    GitHub:
    github.com/advisories/GHSA-845

    Go (Knot module?)
    github.com/golang/vulndb/issue

    Non-coverage: (no mentions known yet)

    AWS :
    [?]

    Azure (Microsoft Server DNS?):
    [?]

    Cisco Umbrella:
    umbrella.cisco.com/blog [?]

    CoreDNS:
    coredns.io/blog/ [?]

    Infoblox:
    blogs.infoblox.com/ [?]

    Quad9 DNS:
    quad9.net/news/blog/ [?]

    News/Press/Forums

    pducklin.com/2024/02/18/the-sc

    theregister.com/2024/02/13/dns

    securityweek.com/keytrap-dns-a

    bleepingcomputer.com/news/secu

    news.ycombinator.com/item?id=3

    darkreading.com/cloud-security

    Detection/Validation:

    Check to see if a server is doing DNSSEC validation (if not an open recursive resolver, you may need to query a zone the server is authoritative for):

    # zone signed, server DNSSEC-enabled:
    $ delv example.net @8.8.8.8
    ; fully validated
    example.net.            4437    IN      A       93.184.216.34
    example.net.            4437    IN      RRSIG   A 13 2 86400 20240225232039 20240204162038 18113 example.net. 94G2PRXins1G9ntfklvCq2mvcgqjB0z9FqQXp77lD/wXR4J3D67ceih1 yNgsYYqlIAOoWKXUekux6Zq9aIwszQ==

    # zone unsigned, server DNSSEC-enabled:
    $ delv google.com @8.8.8.8
    ; unsigned answer
    google.com.             100     IN      A       142.250.69.206

    Tenable:
    tenable.com/plugins/pipeline/i

    Snyk:
    security.snyk.io/vuln/SNYK-UNM

    Exploits:

    (multiple sources describe as "trivial")

    github.com/knqyf263/CVE-2023-5 (not tested)

    #keytrap #nsec3 #CVE202350387 #CVE202350868 #CVE_2023_50387 #CVE_2023_50868
    #dns #dnssec

    #keytrap #nsec3 #cve202350387 #cve202350868 #cve_2023_50387 #cve_2023_50868
  9. NLnet Labs @[email protected] ·

    And for additional background, watch this presentation at #RIPE92:
    ripe92.ripe.net/programme/meet #DNS #DNSSEC #Mythos #LLM #OpenSource

    #ripe92 #dns #dnssec #mythos #llm #opensource
  10. NLnet Labs @[email protected] ·

    And for additional background, watch this presentation at #RIPE92:
    ripe92.ripe.net/programme/meet #DNS #DNSSEC #Mythos #LLM #OpenSource

    #ripe92 #dns #dnssec #mythos #llm #opensource
  11. NLnet Labs @[email protected] ·

    And for additional background, watch this presentation at #RIPE92:
    ripe92.ripe.net/programme/meet #DNS #DNSSEC #Mythos #LLM #OpenSource

    #ripe92 #dns #dnssec #mythos #llm #opensource
  12. NLnet Labs @[email protected] ·

    And for additional background, watch this presentation at #RIPE92:
    ripe92.ripe.net/programme/meet #DNS #DNSSEC #Mythos #LLM #OpenSource

    #opensource #llm #mythos #dnssec #dns #ripe92
  13. NLnet Labs @[email protected] ·

    And for additional background, watch this presentation at #RIPE92:
    ripe92.ripe.net/programme/meet #DNS #DNSSEC #Mythos #LLM #OpenSource

    #ripe92 #dns #dnssec #mythos #llm #opensource
  14. NLnet Labs @[email protected] ·

    For more context, read hachyderm.io/@alexband/1165948 #DNS #DNSSEC #Mythos #LLM #OpenSource

    #dns #dnssec #mythos #llm #opensource
  15. NLnet Labs @[email protected] ·

    For more context, read hachyderm.io/@alexband/1165948 #DNS #DNSSEC #Mythos #LLM #OpenSource

    #dns #dnssec #mythos #llm #opensource
  16. NLnet Labs @[email protected] ·

    For more context, read hachyderm.io/@alexband/1165948 #DNS #DNSSEC #Mythos #LLM #OpenSource

    #dns #dnssec #mythos #llm #opensource
  17. NLnet Labs @[email protected] ·

    For more context, read hachyderm.io/@alexband/1165948 #DNS #DNSSEC #Mythos #LLM #OpenSource

    #opensource #llm #mythos #dnssec #dns
  18. NLnet Labs @[email protected] ·

    For more context, read hachyderm.io/@alexband/1165948 #DNS #DNSSEC #Mythos #LLM #OpenSource

    #dns #dnssec #mythos #llm #opensource
  19. NLnet Labs @[email protected] ·

    Today we joined the discussion with @Nominet DNS Fund on funding Open Source Software during the #RIPE92 Open Source WG session.

    Amy and Dave presented the DNS Fund programme, after which four recipients (including us) shared experiences. We highlighted our very positive experience supporting our Cascade project, a stand-alone DNSSEC signer and key manager.

    Slides & recording:
    ripe92.ripe.net/programme/meet

    #ripe92
  20. NLnet Labs @[email protected] ·

    After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

    #dnssec #rustweek #dns #opensource #rustlang
  21. NLnet Labs @[email protected] ·

    After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

    #dnssec #rustweek #dns #opensource #rustlang
  22. NLnet Labs @[email protected] ·

    After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

    #dnssec #rustweek #dns #opensource #rustlang
  23. NLnet Labs @[email protected] ·

    After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

    #rustlang #opensource #dns #rustweek #dnssec
  24. NLnet Labs @[email protected] ·

    After showing the progress of our #DNSSEC signing solution Cascade at DNS-OARC last weekend, this week we are at #RustWeek, supporting the developer community that makes our new software possible.

    #DNS #OpenSource #rustlang

    #dnssec #rustweek #dns #opensource #rustlang
  25. NLnet Labs @[email protected] ·

    @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

    #dnssec #dns #lovedns #opensource
  26. NLnet Labs @[email protected] ·

    @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

    #dnssec #dns #lovedns #opensource
  27. NLnet Labs @[email protected] ·

    @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

    #dnssec #dns #lovedns #opensource
  28. NLnet Labs @[email protected] ·

    @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

    #opensource #lovedns #dns #dnssec
  29. NLnet Labs @[email protected] ·

    @ximon18 @dnsoarc after his talk on stage, Ximon will be at the demo table in the lunch area, where he can show all the other tricks Cascade has learned since OARC 45 in Stockholm.

    Also, make sure to bring your zone files so you can for example see how fast parallel #DNSSEC signing by @bal4e really is. #DNS #LoveDNS #OpenSource

    #dnssec #dns #lovedns #opensource
  30. NLnet Labs @[email protected] ·

    Please pray to the live demo Gods over lunch so @ximon18 can show you our #DNSSEC signer Cascade in action this afternoon at @dnsoarc 46.

    We’ll cover incremental signing with IXFR in and out with TSIG, all on a YubiHSM we packed. 🤞

    #LoveDNS

    #dnssec #lovedns
Next page