PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures¶
Date: January 22nd 2018
Affects: PowerDNS Recursor 4.1.0
Not affected: PowerDNS Recursor < 4.1.0, 4.1.1
Impact: Denial of existence spoofing
Exploit: This problem can be triggered by an attacker in position of man-in-the-middle
Risk of system compromise: No
Solution: Upgrade to a non-affected version
An issue has been found in the DNSSEC validation component of PowerDNS Recursor, allowing an ancestor delegation NSEC or NSEC3 record to be used to wrongfully prove the non-existence of a RR below the owner name of that record. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist. This issue has been assigned CVE-2018-1000003.
PowerDNS Recursor 4.1.0 is affected.
I have committed 4.1.1 to the tree and removed the vulnerable 4.1.0.
Only affects 4.1.0 which wasn't marked stable. Repository is clean. All done!