From: Michał Kępień <michal@isc.org>
Date: Wed, 22 Oct 2025 16:41:51 +0000 (+0200)
Subject: [9.16] [CVE-2025-40778] sec: usr: Address various spoofing attacks
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aba2fa7e355be5a5c25d61c51238ea16d231b577;p=thirdparty%2Fbind9.git

[9.16] [CVE-2025-40778] sec: usr: Address various spoofing attacks

Previously, several issues could be exploited to poison a DNS cache with
spoofed records for zones which were not DNSSEC-signed or if the
resolver was configured to not do DNSSEC validation. These issues were
assigned CVE-2025-40778 and have now been fixed.

As an additional layer of protection, :iscman:`named` no longer accepts
DNAME records or extraneous NS records in the AUTHORITY section unless
these are received via spoofing-resistant transport (TCP, UDP with DNS
cookies, TSIG, or SIG(0)).

ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
Duan from Tsinghua University for bringing this vulnerability to our
attention.

Backport of !838

Closes isc-projects/bind9#5414

Merge branch '5414-security-check-name-vs-qname-again-9.16' into 'bind-9.16-release'

See merge request isc-private/bind9!859
---

aba2fa7e355be5a5c25d61c51238ea16d231b577