Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone. Usually these RRSets are used to update the
resolver's knowledge of the zone's name servers. A malicious actor who
is able to attach such records in a reply (i.e., spoofed packet,
fragmentation attack) can poison Unbound's cache for the delegation
point.
The fix scrubs unsolicited NS RRSets (and their respective address
records) from replies, thereby mitigating the possible poison effect.
The protection can be turned off by setting the new configuration option
"iter-scrub-promiscuous" to "no", see unbound.conf(5).
For Debian 11 bullseye, this problem has been fixed in version
1.13.1-1+deb11u6.
We recommend that you upgrade your unbound packages.
For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/unbound
Get the latest Linux and open source security news straight to your inbox.