Blocky DNSSEC validation bypass and validation-cache scope pollution
Blocky accepts and caches forged DNS answers while dnssec.validate: true is enabled. The issue has two related exploit paths: Basic DNSSEC validation bypass. If an untrusted upstream returns an unsigned positive answer for a DNSSEC-signed public domain, Blocky classifies the response as Insecure solely because the response contains no RRSIG records. It does not first check the DS/DNSKEY chain to determine whether the queried name is below a signed delegation. …