Description
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
Published: 2026-06-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to forge DNS responses that convince the Recursor that a legitimate authoritative server does not support EDNS. Because the Recursor then rejects or degrades validation of DNSSEC records from that server, any DNSSEC‑protected domain served by the affected authoritative source becomes unresolvable for clients relying on this Recursor, effectively denying access to those domains.

Affected Systems

The flaw is present in PowerDNS Recursor, a DNS recursive resolver used by many organizations to provide name resolution to end users. Any environment that deploys this version of Recursor and forwards queries to authoritative servers vulnerable to the spoof, without proper validation configured, is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, and the EPSS score is not available, so the current exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack can be carried out by injecting malicious DNS replies over the network path between the Recursor and the authoritative server, most likely via UDP or TCP. Once a response is spoofed, the Recursor’s internal state changes to consider that server as non‑EDNS, causing DNSSEC validation failures for subsequent queries. The impact is limited to the affected resolver and its downstream clients, but it can disrupt DNSSEC‑only domain access within an organization.

Generated by OpenCVE AI on June 25, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PowerDNS Recursor to the latest release that contains the patch for this DNS reply spoofing issue.
  • Configure the Recursor to enforce strict inbound packet validation, rejecting any DNS responses that do not match the expected EDNS flags or source credentials.
  • Monitor outgoing and incoming DNS traffic for anomalous responses and verify that upstream authoritative servers are correctly configured for EDNS and DNSSEC support.

Generated by OpenCVE AI on June 25, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6369-1 pdns-recursor security update
History

Thu, 25 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Thu, 25 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
Title Spoofed answers can mark an authoritative non-EDNS capable
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T14:21:36.692Z

Reserved: 2026-06-08T08:05:31.708Z

Link: CVE-2026-52690

cve-icon Vulnrichment

Updated: 2026-06-25T14:21:27.232Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing