[Dnsmasq-discuss] DNSSEC security fix.
simon at thekelleys.org.uk
Fri Jan 19 12:54:47 GMT 2018
An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org and still have it signed by the
signature for the wildcard. So, for example
!.example.org NSEC zz.example.org
The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.
This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.
I don't think this is a big enough problem to warrant an out-of-sequence
release, but is does have a CVE, CVE-2017-15107 and does need fixing.
The patch is at
and should backport easily of any distro maintainers disagree with me on
the need for retrospective fixes.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Dnsmasq-discuss