An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation.
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Recursor | Powerdns | 4.1.0 (including) | 4.3.0 (including) |
Pdns-recursor | Ubuntu | bionic | * |
Pdns-recursor | Ubuntu | eoan | * |
Pdns-recursor | Ubuntu | trusty | * |
Pdns-recursor | Ubuntu | xenial | * |