Upgrade unbound resolver to 1.6.8 if used for DANE

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Upgrade unbound resolver to 1.6.8 if used for DANE

Viktor Dukhovni

If you're using unbound as your local DNSSEC-validating
resolver and have enabled DANE, an issue is resolved in
unbound 1.6.8 where NSEC records for wildcards could be
misused for invalid denial-of-existence proofs.  See:

   https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be
   https://unbound.net/downloads/CVE-2017-15105.txt

The first article mentions that the same issue affected
PowerDNS and Dnsmasq.  So if you're using one of those,
you might also need to update.  While Google's public
DNS was also affected, this is out of scope for DANE,
as you get little security from relying on the AD bit
from remote resolvers.

--
        Viktor.