Upgrade unbound resolver to 1.6.8 if used for DANE
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Feb 5 17:29:58 CET 2018
If you're using unbound as your local DNSSEC-validating
resolver and have enabled DANE, an issue is resolved in
unbound 1.6.8 where NSEC records for wildcards could be
misused for invalid denial-of-existence proofs. See:
https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be
https://unbound.net/downloads/CVE-2017-15105.txt
The first article mentions that the same issue affected
PowerDNS and Dnsmasq. So if you're using one of those,
you might also need to update. While Google's public
DNS was also affected, this is out of scope for DANE,
as you get little security from relying on the AD bit
from remote resolvers.
--
Viktor.
More information about the dane-users
mailing list