= BIND9.20.15 =
について、ここに記述してください。

[[/resolver]]

https://bind9.readthedocs.io/en/v9.20.15/notes.html



Address various spoofing attacks. (CVE-2025-40778)

Previously, several issues could be exploited to poison a DNS cache with spoofed records for zones which were not DNSSEC-signed or if the resolver was configured to not do DNSSEC validation. These issues were assigned CVE-2025-40778 and have now been fixed.

As an additional layer of protection, named no longer accepts DNAME records or extraneous NS records in the AUTHORITY section unless these are received via spoofing-resistant transport (TCP, UDP with DNS cookies, TSIG, or SIG(0)).

ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University for bringing this vulnerability to our attention. [GL #5414]


脆弱の内容の説明なし。

-----
diff resolver.c ~/bind-9.20.15/lib/dns/resolver.c

{{{
<  * Examine the records in the authority section (if there are any) for a
<  * positive answer.  We expect the names for all rdatasets in this
<  * section to be subdomains of the domain being queried; any that are
<  * not are skipped.  We expect to find only *one* owner name; any names
<  * after the first one processed are ignored. We expect to find only
<  * rdatasets of type NS, RRSIG, or SIG; all others are ignored. Whatever
<  * remains can be cached at trust level authauthority or additional
<  * (depending on whether the AA bit was set on the answer).
---
>  * If a positive answer was received over TCP or secured with a cookie
>  * or TSIG, examine the authority section.  We expect names for all
>  * rdatasets in this section to be subdomains of the domain being queried;
>  * any that are not are skipped.  We expect to find only *one* owner name;
>  * any names after the first one processed are ignored. We expect to find
>  * only rdatasets of type NS; all others are ignored. Whatever remains can
>  * be cached at trust level authauthority or additional (depending on
>  * whether the AA bit was set on the answer).
8747a8841,8845
> 	/* If it's spoofable, don't cache it. */
> 	if (!rctx->secured && (rctx->query->options & DNS_FETCHOPT_TCP) == 0) {
> 		return;
> 	}
> 
8756c8854,8856
< 		if (!name_external(name, dns_rdatatype_ns, fctx)) {
---
> 		if (!name_external(name, dns_rdatatype_ns, rctx) &&
> 		    dns_name_issubdomain(fctx->name, name))
> 		{
9021,9025c9121,9124
< 						log_formerr(fctx, "multiple NS "
< 								  "RRsets "
< 								  "in "
< 								  "authority "
< 								  "section");
---
> 						log_formerr(
> 							fctx,
> 							"multiple NS RRsets in "
> 							"authority section");

...
}}}