The peculiar case of NSEC processing using expanded wildcard records

We discovered a vulnerability in the processing of wildcard synthesized NSEC records. The result was Unbound, Google public DNS, PowerDNS and Dnsmasq contained a flaw that made it possible to downgrade secure connections. While synthesis of NSEC records is allowed by RFC 4592, these synthesized owner names should not be used in the NSEC processing. This does, however, happen in Unbound 1.6.7 and earlier versions.

Ralph Dolmans wrote a blog post about the discovery and findings.