Update Rust crate hickory-proto to 0.26.0 [SECURITY]

[oxide-renovate]

This PR contains the following updates:

Package	Type	Update	Change
hickory-proto (source)	workspace.dependencies	minor	0.25.2 → 0.26.0

---

hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression

GHSA-q2qq-hmj6-3wpp

More information

Details

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan.

A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.

This is similar to CVE-2024-8508.

Reporter

Qifan Zhang, Palo Alto Networks

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp
• https://rustsec.org/advisories/RUSTSEC-2026-0119.html
• https://github.com/advisories/GHSA-q2qq-hmj6-3wpp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

hickory-dns/hickory-dns (hickory-proto)

v0.26.1

Compare Source

This point release for the 0.26 release series brings in several bug fixes, and no user-facing changes. Two security reports are addressed:
RUSTSEC-2026-0120 and RUSTSEC-2026-0119.

What's Changed

• net: avoid infinite loop in NSEC3 processing by @​djc in #​3597
• Limit work expended on name compression (backport) by @​divergentdave in #​3615

Full Changelog: hickory-dns/hickory-dns@v0.26.0...v0.26.1

v0.26.0: 0.26.0

Compare Source

13 months after the release of 0.25.0, we finally have a bigger feature release of Hickory DNS, the suite of DNS libraries and authoritative/recursive name servers written in pure Rust. A lot of work has gone into this release, so we wanted to take a moment to release this before we continue work on deploying the Hickory DNS recursive resolver at Let's Encrypt (and did you see that Hickory is being used in some of Google's Pixel devices?). Because of the ongoing work, we expect that 0.27.0 might happen quite a bit sooner than in 13 months from now.

These release notes describe a number of high-level improvements as well as API changes that are likely to break a larger fraction of our downstream users. Feedback (both on these notes and the release itself) is always welcome in our issue tracker or via our Discord server.

Most of the following notes are broken up by specific components: the server binary and our library crates. However, for this release we've made several changes to the structure of our crates itself:

• Network protocol support has moved out of the hickory-proto crate, into a new hickory-net crate (#​3394); this allows the hickory-proto crate to cleanly focus on message encoding and decoding.
• The hickory-client crate has been subsumed into hickory-net, in the client module (#​3366). No future releases of the hickory-client crate are expected.
• The hickory-recursor crate has been merged into hickory-resolver (#​3370), guarded by a recursor feature which must be enabled explicitly. The recursor implementation was already tightly coupled to the resolver internals, so keeping it separate didn't really make sense.

Additionally, substantial cross-crate changes have been made to improve our error handling:

• More error handling simplification
• proto: split NetError out of ProtoError
• proto: clean up ProtoError
• Be more strict about decode errors
• resolver: remove unnecessary ResolveError wrapper
• Avoid large errors

hickory-dns (the server binary)

• We've added a number of ways to optimize performance via low-level networking configuration:
  • Use SO_REUSEADDR for tcp sockets
  • Allow configuring UDP socket buffer sizes
  • Add SO_REUSEPORT support with configurable UDP socket count
  • More TCP tuning options
• We further extended and reworked our metrics:
  • Additional recursive resolver metrics
  • Minor metrics tidying
  • Initial histogram metrics support
• Miscellaneous changes:
  • Implement RFC 5001 NSID for authoritative server
  • Add server SSLKEYLOGFILE support
  • Add systemd readiness + watchdog support
  • prometheus: enable gzip compression on metrics endpoint
  • Add support for jemalloc + profiling

hickory-server (the library API)

• The Authority trait was renamed to ZoneHandler and simplified to better reflect its usage:
  • Rename Authority to ZoneHandler
  • Simplify ZoneHandler interface
  • Use concrete type for authority lookups
  • Untangle authorities
• Miscellaneous changes:
  • Support host format in blocklist stores
  • Authenticated AXFR policy, TSIG response signing
  • Add metrics for zone lookups, DNS classes and record types

hickory-resolver

We made many improvements to improve correctness and efficiency of both the recursive resolver and the "stub" resolver. In addition, we want to highlight the following changes:

• We substantially changed the high-level resolver and configuration API:
  • Refactor name server configuration
  • Enable validation when trust anchors are configured
  • Introduce ServerGroup type to replace NameServerGroupConfig
  • Configure by name server
  • Tweak high-level API
  • Hide validate option if DNSSEC support is not available
  • Default trust_negative_responses to true
  • Use a single list of servers
  • Make ResolverConfig fields public
  • Simplify ConnectionProvider interface
  • Abstract NS conn/conn config policy
  • Make connection pool track servers
• We improved handling of the system default resolution settings:
  • Trust negative responses from system resolvers by default
  • Retrieve system configuration through system API on Apple platforms
  • Get Android's DNS servers
• We improved the efficiency of the resolver internals:
  • Increase default cache size to 8k
• Miscellaneous changes:
  • Implement RFC 9539 opportunistic encryption
  • Add Ipv6AndIpv4 strategy
  • Add recursor metrics
  • Allow disabling H3 grease, as needed for Cloudflare

hickory-net

We made substantial improvements to DNSSEC validation and our handling of potentially spoofing messages.

• Miscellaneous changes:
  • Stop ignoring response decoding failures for UDP requests
  • Do not resolve private/reserved addresses on public zones
  • Simplify runtime

hickory-proto

• We have made the fields for several core types directly public:
  • Simplify low-level message API
  • Make Record fields public
  • Simplify RData API
  • Change field and method names for Authority section of messages
  • Simplify signing
• We now enable EDNS by default in outgoing messages, increasing the max payload length:
  • Default to enabling EDNS, increase max payload length
  • Make EDNS payload length configurable
• We removed SIG(0) authentication in favor of the more popular TSIG alternative:
  • Remove SIG(0) message authentication
• Miscellaneous changes:
  • Reject QR=0 responses as invalid
  • Reject zero-length data for non-update messages
  • Add support for SMIMEA records
  • Add support for dynamic headers in DoH requests

Details

For more details, review the detailed release notes for our pre-releases:

• Beta 4
• Beta 3
• Beta 2
• Beta 1
• Alpha 1

and these final PRs merged after beta 4:

• proto: reject zero-length data for non-update messages by @​djc in #​3577
• server: deduplicate response encoding by @​djc in #​3555
• Disable dig retries when testing cache behavior by @​divergentdave in #​3590
• Conformance: print communication errors from dig by @​divergentdave in #​3591

Thanks

Finally, we want to thank everyone who contributed to this release: @​bryanlarsen, @​billf, @​hargut, @​ibigbug, @​xi0, @​steffengy, @​james7132, @​Thomasdezeeuw, @​Kriskras99, @​mispp, @​conradludgate, @​nabijaczleweli, @​musicinmybrain, @​msrd0, @​jmwample, @​LAGonauta, @​tisonkun, @​provokateurin, @​lemon-sh, @​thomas-zahner, @​jpds, @​lpraneis, @​zachsmith1, @​jackboykin, @​ZnqbuZ, @​Jeidnx, @​kn0sys, @​matheus23, @​benesch, @​roblabla and of course our maintainers @​cpu, @​divergentdave, @​marcus0x62 and @​djc.

---

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

• Branch creation
  • ""
• Automerge
  • "after 8pm,before 6am"

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[oxide-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.