1) CVE-2019-10191 Description: "fix CVE-2019-10191: do not cache negative answer with forged QNAME+QTYPE (!839)" "A vulnerability was discovered in DNS resolver of knot resolver before version 4.1.0 which allows remote attackers to downgrade DNSSEC-secure domains to DNSSEC-insecure state, opening possibility of domain hijack using attacks against insecure DNS protocol."
Hi @sam_c! This CVE refers to the project knot-resolver (https://www.knot-resolver.cz/ // https://gitlab.labs.nic.cz/knot/knot-resolver // https://repology.org/project/knot-resolver) but we haven't any ebuild for it, yet. Ebuilds 'net-dns/knot' is for the project knot-dns (https://www.knot-dns.cz/ // https://gitlab.labs.nic.cz/knot/knot-dns // https://repology.org/project/knot). Both projects shares the libknot and are made by the same people, but knot-dns is the authoritative server (like 'net-dns/nsd') and knot-resolver is the domain name resolver (like 'net-dns/unbound'). Please mark this bug as INVALID.
(In reply to Pierre-Olivier Mercier from comment #1) > Hi @sam_c! > > This CVE refers to the project knot-resolver (https://www.knot-resolver.cz/ > // https://gitlab.labs.nic.cz/knot/knot-resolver // > https://repology.org/project/knot-resolver) but we haven't any ebuild for > it, yet. > > Ebuilds 'net-dns/knot' is for the project knot-dns (https://www.knot-dns.cz/ > // https://gitlab.labs.nic.cz/knot/knot-dns // > https://repology.org/project/knot). > > Both projects shares the libknot and are made by the same people, but > knot-dns is the authoritative server (like 'net-dns/nsd') and knot-resolver > is the domain name resolver (like 'net-dns/unbound'). > > Please mark this bug as INVALID. Thank you! Apologies for the mixup.