From: Michał Kępień Date: Thu, 2 Oct 2025 10:58:05 +0000 (+0200) Subject: [9.18] [CVE-2025-8677] sec: usr: DNSSEC validation fails if matching but invalid... X-Git-Tag: v9.18.41~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85d08e068316fc9530965b56b3d99833d501ea12;p=thirdparty%2Fbind9.git [9.18] [CVE-2025-8677] sec: usr: DNSSEC validation fails if matching but invalid DNSKEY is found Previously, if a matching but cryptographically invalid key was encountered during DNSSEC validation, the key was skipped and not counted towards validation failures. :iscman:`named` now treats such DNSSEC keys as hard failures and the DNSSEC validation fails immediately, instead of continuing with the next DNSKEYs in the RRset. ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security and Privacy Laboratory at Nankai University for bringing this vulnerability to our attention. Backport of MR !821 Closes isc-projects/bind9#5343 Merge branch '5343-security-count-invalid-keys-into-validation-fails-9.18' into 'v9.18.40-release' See merge request isc-private/bind9!843 --- 85d08e068316fc9530965b56b3d99833d501ea12