minidns icon indicating copy to clipboard operation
minidns copied to clipboard

Published 20 hours ago verified publisher icon MiniDNS

Check if MiniDNS DNSSEC NSEC verification is affected by CVE-2018-1000002

Open Flowdalic opened this issue 7 years ago • 0 comments

From http://www.openwall.com/lists/oss-security/2018/02/09/1

Announcement for Knot Resolver 1.5.2 is here: https://lists.nic.cz/pipermail/knot-resolver-users/2018/000000.html

Nature of the issue is that original DNSSEC specification in dection 5.4 of [RFC4035] under-specifies the algorithm for checking nonexistence proofs.

While implementing DNSSEC validation into Knot Resolver, we forgot to implement additional conditions explained in RFC 6840, so our DNSSEC validator could accept an NSEC or NSEC3 RR proofs from an ancestor zone as proving the nonexistence of an RR in a child zone.

Please note that Knot Resolver versions older than latest 1.5.z are obsolete and not maintained by CZ.NIC anymore so all users all advised to upgrade immediatelly to to latests 1.5 or 2.0 branches.

Version 1.5.z is going to be end-of-life in approximatelly one month so direct upgrade to version 2.0 or later is strongly recommended.

More links

  • https://nvd.nist.gov/vuln/detail/CVE-2018-1000002?cpeVersion=2.2
  • https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html
  • https://lists.nic.cz/pipermail/knot-dns-users/2018-January/001309.html
  • https://lists.nic.cz/pipermail/knot-resolver-users/2018/000000.html

Flowdalic avatar Feb 10 '18 11:02 Flowdalic