A vulnerability was discovered in DNS resolver component of knot resolver through version 3.2.0 before 4.0.0 which allows remote attacker to bypass DNSSEC validation for non-existence answer. Where NXDOMAIN answer would get passed through to the client even if its DNSSEC validation failed, instead of sending a SERVFAIL packet. Caching is not affected by this particular bug but see the other CVE.
Acknowledgments: Name: Petr Špaček (CZ.NIC) Upstream: Vladimír Čunát (CZ.NIC)
Created knot-resolver tracking bugs for this issue: Affects: epel-7 [bug 1729825] Affects: fedora-all [bug 1729824]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.