Upgrade unbound resolver to 1.6.8 if used for DANE

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 5 17:29:58 CET 2018


If you're using unbound as your local DNSSEC-validating
resolver and have enabled DANE, an issue is resolved in
unbound 1.6.8 where NSEC records for wildcards could be
misused for invalid denial-of-existence proofs.  See:

  https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be
  https://unbound.net/downloads/CVE-2017-15105.txt

The first article mentions that the same issue affected
PowerDNS and Dnsmasq.  So if you're using one of those,
you might also need to update.  While Google's public
DNS was also affected, this is out of scope for DANE,
as you get little security from relying on the AD bit
from remote resolvers.

-- 
	Viktor.



More information about the dane-users mailing list