Allele Security Alert
Insufficient validation of DNSSEC signatures
PowerDNS Recursor from 4.1.0 up to and including 4.1.8
PowerDNS Recursor 4.1.9
Proof of concept
An issue has been found in PowerDNS Recursor where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
Ralph Dolmans and George Thessalonikefs (NLNetLabs)
PowerDNS Recursor 4.1.9 Released
PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
PowerDNS Security Advisories 2011-01 and 2019-02
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019