Maintained by: NLnet Labs

[Unbound-users] Release of unbound 1.3.4

W.C.A. Wijngaards
Wed Oct 7 17:15:39 CEST 2009


Hi,

Unbound 1.3.4 has sha1 70aea0092ad0b0cd76e57adc6a5843d3fa0d2a07
sha256 5a7f658b12c311f3c131d315b135956eeaa3bd7caa94b25b4777638ee7ce583f
and can be found http://unbound.net/downloads/unbound-1.3.4.tar.gz

We have discovered a bug in NSEC3 validation handling code: Under 
specific circumstances checks of signatures over NSEC3 records are not done.

As a result carefully crafted delegation responses (created through 
exploiting general DNS vulnerabilities such as DNS packet spoofing) can 
be used to downgrade an existing secure delegation to insecure.

Unbound version 1.3.4 addresses this problem. With respect to version 
1.3.3 there are no other features added in the 1.3.4 release.

Unbound users who depend on DNSSEC validation are advised to upgrade.

Best regards,
    Wouter