CVE-2025-25188

Name of the Vulnerable Software and Affected Versions Hickory DNS versions 0.8.0 through 0.24.2 Hickory DNS versions 0.25.0-alpha.1 through 0.25.0-alpha.4

Description The issue is related to insufficient authentication of data in the verify dnskey rrset() function of the Hickory DNS client. This can allow a remote attacker to bypass security restrictions and gain unauthorized access to protected information. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. If a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is also a variant of this issue involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone.

Recommendations For Hickory DNS versions 0.8.0 through 0.24.2, update to version 0.24.3 or later. For Hickory DNS versions 0.25.0-alpha.1 through 0.25.0-alpha.4, update to version 0.25.0-alpha.5 or later. As a temporary workaround, consider restricting the use of the verify dnskey rrset() function until a patch is available. Restrict access to the DNSKEY records to minimize the risk of exploitation. Avoid using the verify rrset with dnskey() function with different keys and signatures until the issue is resolved.