Today we are releasing PowerDNS Recursor 4.3.5, 4.2.5. and 4.1.18, containing a security fix for CVE-2020-25829:
An issue has been found in PowerDNS Recursor where a remote attacker can cause the cached records for a given name to be updated to the
Bogus DNSSEC validation state, instead of their actual DNSSEC
Secure state, via a DNS ANY query. This results in a denial of service for installations that always validate (
dnssec=validate) and for clients requesting validation when on-demand validation is enabled (
dnssec=process). The severity is high for these cases.
The 4.3.5 tarball (signature), 4.2.5 tarball (signature) and 4.1.18 tarball (signature) are available at downloads.powerdns.com and packages for CentOS 6, 7 and 8, Debian Stretch and Buster, Ubuntu Xenial and Bionic are available from repo.powerdns.com.
4.0 and older releases are EOL, refer to the documentation for details about our release cycles.