Highlights
Denial of Service: 489 prior fixes. Scrutinize any change in this area.
lib/dns/resolver.c: most-fixed (177 issues). Treat as high-risk during review.
392 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Denial of Service: Recursive lookup logic frequently self-deadlocks, hangs, or crashes via assertion failures during complex recursive validation, qname minimization, and under high query concurrency. Limits on parallel fetches, query counters, and recursion depth must be strictly enforced.
Auth Bypass: Logical bypasses in the DNSSEC validator permit unverified negative proofs (NSEC/NSEC3), mismatched ancestor wildcard signers, or faulty algorithm checks to synthesize validated secure answers. Must-be-secure policies must fail-closed on verification errors.
Denial of Service: Long-running DNSSEC cryptoprocessing and validation chains can exhaust CPU resources or deadlock when processing unconstrained NSEC3 iterations, problematic algorithm keysets, or canceled tasks. Iteration and validation quotas must abort gracefully without triggering assertions.