Highlights
Denial of Service: 125 prior fixes. Scrutinize any change in this area.
services/authzone.c: most-fixed (43 issues). Treat as high-risk during review.
140 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Remote Code Execution: Unsafe copy operations in dns_msg_deepcopy_region during DNSSEC validation can cause heap-based memory corruption and write-what-where conditions, potentially leading to remote code execution. Developers must ensure structure-level assignments do not overwrite active pointer allocations.
DNS Cache Poisoning: Flaws in the message scrubbing/sanitization phase allow promiscuous, out-of-zone, or unvalidated NS records to poison the resolver's cache. Sanitizers must strictly enforce authority boundaries and restrict cache updates based on explicit, verified query types.
Auth Bypass: The DNSSEC engine has repeatedly suffered from logical bypasses when handling synthesized CNAMEs, wildcards, and negative proofs (NSEC/NSEC3), where unchecked or unsigned records in the chain of trust were treated as secure. Every referral and synthesized record path must strictly inherit validation state.