CVE-2020-25829

Name of the Vulnerable Software and Affected Versions PowerDNS Recursor versions 4.1.x through 4.1.17 PowerDNS Recursor versions 4.2.x through 4.2.4 PowerDNS Recursor versions 4.3.x through 4.3.4

Description A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of service for installations that always validate (dnssec=validate), and for clients requesting validation when on-demand validation is enabled (dnssec=process).

Recommendations For PowerDNS Recursor versions 4.1.x through 4.1.17, update to version 4.1.18 or later. For PowerDNS Recursor versions 4.2.x through 4.2.4, update to version 4.2.5 or later. For PowerDNS Recursor versions 4.3.x through 4.3.4, update to version 4.3.5 or later.