CVE-2019-10190

Name of the Vulnerable Software and Affected Versions: knot resolver versions prior to 4.1.0

Description: A vulnerability was discovered in the DNS resolver component that allows remote attackers to bypass DNSSEC validation for non-existence answers. Specifically, NXDOMAIN answers would get passed through to the client even if their DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this bug.

Recommendations: For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the DNS resolver component to minimize the risk of exploitation.