| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Insufficient validation |
|
| Description |
| + |
An issue has been found in PowerDNS Recursor before 4.3.1 and 4.2.2 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist, bypassing DNSSEC validation. |
|
| References |
| + |
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-02.html |
| + |
https://github.com/PowerDNS/pdns/commit/4bba0ec04aacbec08fe585ad790e2e8e0cb7b04a |
|