5 Feb
2018
5 Feb
'18
5:29 p.m.
If you're using unbound as your local DNSSEC-validating resolver and have enabled DANE, an issue is resolved in unbound 1.6.8 where NSEC records for wildcards could be misused for invalid denial-of-existence proofs. See:
https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expa... https://unbound.net/downloads/CVE-2017-15105.txt
The first article mentions that the same issue affected PowerDNS and Dnsmasq. So if you're using one of those, you might also need to update. While Google's public DNS was also affected, this is out of scope for DANE, as you get little security from relying on the AD bit from remote resolvers.
--
Viktor.