DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. It's OK for NSEC records to be expanded from wildcards, but in that case, the proof of non-existence is only valid starting at the wildcard name, *.<domain> NOT the name expanded from the wildcard. Without this check it's possible for an attacker to craft an NSEC which wrongly proves non-existence in a domain which includes a wildcard for NSEC.

commit: 4fe6744a220eddd3f1749b40cac3dfc510787de6 [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Fri Jan 19 12:26:08 2018 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> Fri Jan 19 12:39:46 2018 +0000
tree: 1533727e61f9d7e88de9335198d73457bf5ad749
parent: 3bd4c47f31f6e124057f12447994f38fcb6ac74f [diff] [blame]
diff --git a/CHANGELOG b/CHANGELOG
index b95c7ec..511654a 100644
--- a/CHANGELOG
+++ b/CHANGELOG

@@ -30,7 +30,17 @@
 	as an alternative to
 	--bridge-interface=int1,alias1,alias2
 	Thanks to Neil Jerram for work on this.
-	
+
+	Fix for DNSSEC with wildcard-derived NSEC records.
+	It's OK for NSEC records to be expanded from wildcards,
+	but in that case, the proof of non-existence is only valid
+	starting at the wildcard name, *.<domain> NOT the name expanded
+	from the wildcard. Without this check it's possible for an
+	attacker to craft an NSEC which wrongly proves non-existence.
+	Thanks to Ralph Dolmans for finding this, and co-ordinating 
+	the vulnerability tracking and fix release.
+	CVE-2017-15107 applies.
+
 
 version 2.78
         Fix logic of appending ".<layer>" to PXE basename. Thanks to Chris
commit	4fe6744a220eddd3f1749b40cac3dfc510787de6	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Fri Jan 19 12:26:08 2018 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	Fri Jan 19 12:39:46 2018 +0000
tree	1533727e61f9d7e88de9335198d73457bf5ad749
parent	3bd4c47f31f6e124057f12447994f38fcb6ac74f [diff] [blame]