Surfaced by master PR #507's cargo-audit job (failed run https://github.com/intendednull/willow/actions/runs/25240179167/job/74014485715).
Advisory
- ID: RUSTSEC-2026-0120
- Crate:
hickory-net 0.26.0-beta.4
- Title: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
- Date: 2026-05-01 (published yesterday)
- URL: GHSA-3v94-mw7p-v465
- Solution: Upgrade to
>=0.26.1
Why we no can simple cargo update
Same root cause as #(RUSTSEC-2026-0119 follow-up): hickory-* 0.26.0-beta.4 pinned by iroh stack via hickory-resolver 0.26.0-beta.4. iroh release needed to bump req range to stable hickory.
hickory-net 0.26.0-beta.4
└── hickory-resolver 0.26.0-beta.4
├── iroh-relay 0.98.0
└── iroh 0.98.1
Action
- Add
--ignore RUSTSEC-2026-0120 to .github/workflows/ci.yml cargo-audit step w/ comment ref this issue.
- Re-evaluate when iroh release bump hickory req range to allow 0.26.1+.
Reachability
NSEC3 validation hit only on signed DNS responses w/ cross-zone proofs — willow no validate DNSSEC end-to-end; iroh use hickory for relay-discovery DNS resolution. Practical reach low; track for upstream.
Same shape as #223, #246, #247, #316, #317, #318 trackers.
Surfaced by master PR #507's
cargo-auditjob (failed run https://github.com/intendednull/willow/actions/runs/25240179167/job/74014485715).Advisory
hickory-net 0.26.0-beta.4>=0.26.1Why we no can simple
cargo updateSame root cause as #(RUSTSEC-2026-0119 follow-up): hickory-* 0.26.0-beta.4 pinned by iroh stack via
hickory-resolver 0.26.0-beta.4. iroh release needed to bump req range to stable hickory.Action
--ignore RUSTSEC-2026-0120to.github/workflows/ci.ymlcargo-audit step w/ comment ref this issue.Reachability
NSEC3 validation hit only on signed DNS responses w/ cross-zone proofs — willow no validate DNSSEC end-to-end; iroh use hickory for relay-discovery DNS resolution. Practical reach low; track for upstream.
Same shape as #223, #246, #247, #316, #317, #318 trackers.