CVE-2019-10191

Name of the Vulnerable Software and Affected Versions knot resolver versions prior to 4.1.0

Description A vulnerability was discovered in the DNS resolver of knot resolver, which allows remote attackers to downgrade DNSSEC-secure domains to a DNSSEC-insecure state. This opens the possibility of domain hijack using attacks against the insecure DNS protocol. The issue is due to insufficient input validation, enabling a remote attacker to convert a DNSSEC-secure domain to an insecure state.

Recommendations For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the DNS resolver to minimize the risk of exploitation.