Upgrade unbound resolver to 1.6.8 if used for DANE

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 5 17:29:58 CET 2018

If you're using unbound as your local DNSSEC-validating
resolver and have enabled DANE, an issue is resolved in
unbound 1.6.8 where NSEC records for wildcards could be
misused for invalid denial-of-existence proofs.  See:


The first article mentions that the same issue affected
PowerDNS and Dnsmasq.  So if you're using one of those,
you might also need to update.  While Google's public
DNS was also affected, this is out of scope for DANE,
as you get little security from relying on the AD bit
from remote resolvers.


More information about the dane-users mailing list