You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nature of the issue is that original DNSSEC specification in dection 5.4
of [RFC4035] under-specifies the algorithm for checking nonexistence
proofs.
While implementing DNSSEC validation into Knot Resolver, we forgot to
implement additional conditions explained in RFC 6840, so our DNSSEC
validator could accept an NSEC or NSEC3 RR proofs from an ancestor zone
as proving the nonexistence of an RR in a child zone.
Please note that Knot Resolver versions older than latest 1.5.z are
obsolete and not maintained by CZ.NIC anymore so all users all advised
to upgrade immediatelly to to latests 1.5 or 2.0 branches.
Version 1.5.z is going to be end-of-life in approximatelly one month so
direct upgrade to version 2.0 or later is strongly recommended.
From http://www.openwall.com/lists/oss-security/2018/02/09/1
More links
The text was updated successfully, but these errors were encountered: