Ralph Dolmans

**Name of the Vulnerable Software and Affected Versions** PowerDNS Recursor versions 4.1.x through 4.1.8 **Description** An issue has been found where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation. **Recommendations** For PowerDNS Recursor versions 4.1.x through 4.1.8, update to version 4.1.9 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: unbound versions prior to 1.6.8 Description: A flaw was found in the way unbound validated wildcard-synthesized NSEC records. An improperly validated wildcard NSEC record could be used to prove the non-existence of an existing wildcard record, or trick unbound into accepting a NODATA proof. Recommendations: For versions prior to 1.6.8, update to version 1.6.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of wildcard NSEC records until a patch is available.