GHSA-v7pc-74h8-xq2h: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-v7pc-74h8-xq2h) affects Hickory DNS's DNSSEC validation routines, discovered and disclosed in February 2025. The issue impacts the hickory-proto Rust package versions >= 0.8.0 to < 0.24.3 and >= 0.25.0-alpha.1 to < 0.25.0-alpha.5. This moderate severity vulnerability involves the improper verification of self-signed RRSIG for DNSKEYs, where the system incorrectly treats entire RRsets of DNSKEY records as trusted after establishing trust in only one DNSKEY (GitHub Advisory, RustSec Advisory).

The vulnerability stems from a flaw in the DNSSEC validation process where verifydnskeyrrset() returns Ok(true) if any record's public key matches a trust anchor, leading to verifyrrset() returning a Secure proof. Additionally, verifydefaultrrset() looks up DNSKEY records through handle.lookup(), but fails to properly verify the whole RRset of DNSKEYs. A similar issue exists where verifydnskey_rrset() returns Ok(false) if any DNSKEY record is covered by a DS record, only checking that one key is authenticated by a DS in the parent zone's delegation point (GitHub Advisory).

This vulnerability affects Hickory DNS users who rely on DNSSEC verification in the client library, stub resolver, or recursive resolver. The flaw could allow unauthorized keys to be trusted for authenticating records in a zone if a zone includes a DNSKEY with a public key matching a configured trust anchor (Hickory DNS Advisory).

The vulnerability has been patched in versions 0.24.3 and 0.25.0-alpha.5 of the hickory-proto package. Users are advised to upgrade to these patched versions to resolve the security issue (GitHub Advisory).