[knot-resolver-users] Knot Resolver 5.7.1 and 6.0.6

Dear Knot Resolver users, Knot Resolver versions 5.7.1 (stable) and 6.0.6 (early-access) have been released! These releases include important security fixes, an update is strongly advised! Security: - CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU   * validator: lower the NSEC3 iteration limit (150 -> 50)   * validator: similarly also limit excessive NSEC3 salt length   * cache: limit the amount of work on SHA1 in NSEC3 aggressive cache   * validator: limit the amount of work on SHA1 in NSEC3 proofs   * validator: refuse to validate answers with more than 8 NSEC3 records - CVE-2023-50387 "KeyTrap": DNSSEC verification complexity   could be exploited to exhaust CPU resources and stall DNS resolvers.   Solution boils down mainly to limiting crypto-validations per packet.   We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel and Michael Waidner   from the German National Research Center for Applied Cybersecurity ATHENE   for bringing this vulnerability to our attention. Improvements: - update addresses of B.root-servers.net (!1478) Bugfixes: - fix potential SERVFAIL deadlocks if net.ipv6 = false (#880) The update affects how some cached records are being treated, which may trip up some sanity checking mechanisms in Knot Resolver if you have advanced debugging options enabled (disabled by default),  "debugging.assertion_abort" for version 5 (Lua) and "logging/debugging/assertation-abort"  for version 6 (YAML). In case you encounter any issues, please try clearing the cache first. Full changelog: https://gitlab.nic.cz/knot/knot-resolver/raw/v5.7.1/NEWS Sources: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz GPG signature: https://secure.nic.cz/files/knot-resolver/knot-resolver-5.7.1.tar.xz.asc Documentation: https://knot-resolver.readthedocs.io/en/v5.7.1/ -- Ales Mrazek PGP: 3057 EE9A 448F 362D 7420 5A77 9AB1 20DA 0A76 F6DE