A vulnerability in DNSSEC implementation of Dnsmasq was found. Processing of wildcard synthesized NSEC records may result in improper validation for non-existance in some implementations of DNSSEC. While synthesis of NSEC records is allowed by RFC4592, the synthesized owner names should not be used in the NSEC processing.
Name: Ralph Dolmans (NLnet Labs), Karst Koymans (University of Amsterdam)
Versions of Dnsmasq shipped with Red Hat Enterprise Linux are built without DNSSEC support, so they are not affected by this issue.
Created dnsmasq tracking bugs for this issue:
Affects: fedora-all [bug 1536903]