{"id":"CVE-2018-14644","details":"An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for at least one of the meta-types. As a result, subsequent queries from clients requesting DNSSEC validation will be answered with a ServFail.","modified":"2026-03-14T09:27:51.014458Z","published":"2018-11-09T19:29:00.253Z","related":["MGASA-2019-0009","openSUSE-SU-2018:4062-1","openSUSE-SU-2018:4177-1","openSUSE-SU-2024:11157-1"],"references":[{"type":"ADVISORY","url":"https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-07.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14644"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/powerdns/pdns","events":[{"introduced":"ba64cecd417688dc39c75e92f1a23b91f7f46d64"},{"last_affected":"0a98a51fb1fbf90922f2edf7e47f3a9a050e2ddf"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"last_affected":"4.1.4"}]}}],"versions":["auth-4.0.0","auth-4.0.1","auth-4.1.0","auth-4.1.0-rc1","auth-4.1.0-rc2","auth-4.1.0-rc3","dnsdist-1.1.0","dnsdist-1.1.0-beta1","dnsdist-1.1.0-beta2","dnsdist-1.2.0","rec-4.0.0","rec-4.0.1","rec-4.0.2","rec-4.1.0","rec-4.1.0-alpha1","rec-4.1.0-rc1","rec-4.1.0-rc2","rec-4.1.0-rc3","rec-4.1.1","rec-4.1.2","rec-4.1.3","rec-4.1.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14644.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}