[Unbound-users] Release of unbound 1.3.4

W.C.A. Wijngaards wouter at NLnetLabs.nl
Wed Oct 7 15:15:39 UTC 2009


Unbound 1.3.4 has sha1 70aea0092ad0b0cd76e57adc6a5843d3fa0d2a07
sha256 5a7f658b12c311f3c131d315b135956eeaa3bd7caa94b25b4777638ee7ce583f
and can be found http://unbound.net/downloads/unbound-1.3.4.tar.gz

We have discovered a bug in NSEC3 validation handling code: Under 
specific circumstances checks of signatures over NSEC3 records are not done.

As a result carefully crafted delegation responses (created through 
exploiting general DNS vulnerabilities such as DNS packet spoofing) can 
be used to downgrade an existing secure delegation to insecure.

Unbound version 1.3.4 addresses this problem. With respect to version 
1.3.3 there are no other features added in the 1.3.4 release.

Unbound users who depend on DNSSEC validation are advised to upgrade.

Best regards,

More information about the Unbound-users mailing list