Date: Fri, 9 Feb 2018 08:47:00 +0100 From: Petr Špaček <petr.spacek@....cz> To: Anthony Liguori <aliguori@...zon.com>, oss-security@...ts.openwall.com Cc: Jan Pavlinec <jan.pavlinec@....cz>, Remi Gacogne <remi.gacogne@...erdns.com>, Solar Designer <solar@...nwall.com>, Kristian Fiskerstrand <k_f@...too.org> Subject: Re: bug in DNS resolvers - DNSSEC validation Please accept my apology for this omission, the issue were made public right after end of embargo but I totally forgot about posting it again here. On 9.2.2018 02:46, Anthony Liguori wrote: > The following issues were reported on distros@ on Jan 15th and > subsequently made public without a post here. I'm referencing the > public announcements I've found with hope that Petr et al can provide > more specific information here. > > https://nvd.nist.gov/vuln/detail/CVE-2018-1000002?cpeVersion=2.2 > https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html Announcement for Knot Resolver 1.5.2 is here: https://lists.nic.cz/pipermail/knot-resolver-users/2018/000000.html Nature of the issue is that original DNSSEC specification in dection 5.4 of [RFC4035] under-specifies the algorithm for checking nonexistence proofs. While implementing DNSSEC validation into Knot Resolver, we forgot to implement additional conditions explained in RFC 6840, so our DNSSEC validator could accept an NSEC or NSEC3 RR proofs from an ancestor zone as proving the nonexistence of an RR in a child zone. Please note that Knot Resolver versions older than latest 1.5.z are obsolete and not maintained by CZ.NIC anymore so all users all advised to upgrade immediatelly to to latests 1.5 or 2.0 branches. Version 1.5.z is going to be end-of-life in approximatelly one month so direct upgrade to version 2.0 or later is strongly recommended. Petr Špaček @ CZ.NIC > The distros@ list has a policy that after the embargo lifts, the report > is also made to oss-security to ensure there is a public record of what > has been reported. > > Regards, > > Anthony Liguori
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ