| CARVIEW |
Select Language
HTTP/2 200
content-type: text/html; charset=utf-8
content-length: 19114
date: Mon, 14 Jul 2025 14:46:22 GMT
last-modified: Mon, 07 Apr 2025 12:50:54 GMT
etag: "738fc404f877fd8bc42c5a37d4d9873e"
x-amz-server-side-encryption: AES256
x-amz-meta-mtime: 1744030151
x-amz-version-id: MgZufaVwJ3nslfBpPEJ9qv.g5p1_q2s8
accept-ranges: bytes
server: AmazonS3
x-cache: Miss from cloudfront
via: 1.1 82636c8aa9a5ece412a0bc535c0ca124.cloudfront.net (CloudFront)
x-amz-cf-pop: HEL51-P1
x-amz-cf-id: -ucvJZuU7WKOCjH3K6JAHXKVDfLmhfOWvBvwS5k8KzziFyE2oCPKxg==
PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures — PowerDNS Recursor documentation
Navigation
PowerDNS Recursor
Previous topic
PowerDNS Security Advisory 2020-01: Denial of Service
Next topic
PowerDNS Security Advisory 2020-03: Information disclosure
Contents
- Introduction
- Getting Started
- Operating PowerDNS Recursor
- DNSSEC in the PowerDNS Recursor
- PowerDNS Recursor Settings
- PowerDNS Recursor New Style (YAML) Settings
- Advanced Configuration Using Lua
- Scripting PowerDNS Recursor
- DNS64 support
- Metrics and Statistics
- Performance Guide
- Manual Pages
- Built-in Webserver and HTTP API
- Security of the PowerDNS Recursor
- Security Advisories
- PowerDNS Security Advisory 2025-01: A crafted zone can lead to an illegal memory access in the Recursor
- PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
- PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
- PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
- PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
- PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
- PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation
- PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
- PowerDNS Security Advisory 2020-07: Cache pollution
- PowerDNS Security Advisory 2020-04: Access restriction bypass
- PowerDNS Security Advisory 2020-03: Information disclosure
- PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2020-01: Denial of Service
- PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations
- PowerDNS Security Advisory 2018-09: Crafted query can cause a denial of service
- PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service
- PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query
- PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service
- PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2017-08: Crafted CNAME answer can cause a denial of service
- PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing
- PowerDNS Security Advisory 2017-06: Configuration file injection in the API
- PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface
- PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures
- PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage
- PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
- PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
- PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
- PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
- PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
- PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to ‘spoof’ PowerDNS Recursor
- PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
- PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
- Older security advisories
- Upgrade Guide
- Changelogs
- Newly Observed Domain Tracking
- Unique Domain Response
- End of life statements
- Frequently Asked Questions
- Compiling PowerDNS Recursor
- Cryptographic software and export control
- Internals of the PowerDNS Recursor
- Structured Logging Dictionary
- Conversion of old-style settings to YAML format
- PowerDNS/dnsdist license
This Page
- Docs
- Security Advisories
- PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures
PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures¶
- CVE: CVE-2020-12244
- Date: May 19th 2020
- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
- Not affected: 4.3.1, 4.2.2, 4.1.16
- Severity: Medium
- Impact: Denial of existence spoofing
- Exploit: This problem can be triggered by an attacker in position of man-in-the-middle
- Risk of system compromise: No
- Solution: Upgrade to a non-affected version
- Workaround: None
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer. This would allow an attacker in position of man-in-the-middle to send a NXDOMAIN answer for a name that does exist, bypassing DNSSEC validation.
This issue has been assigned CVE-2020-12244.
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected.
Please note that at the time of writing, PowerDNS Authoritative 4.0 and below are no longer supported, as described in https://doc.powerdns.com/authoritative/appendices/EOL.html.
We would like to thank Matt Nordhoff for finding and subsequently reporting this issue!
Navigation
© Copyright PowerDNS.COM BV. Created using Sphinx.