It was discovered that Unbound, a DNS resolver, does not properly
check cryptographic signatures on NSEC3 records. As a result, zones
signed with the NSEC3 variant of DNSSEC lose their cryptographic
protection. (An attacker would still have to carry out an ordinary
cache poisoning attack to add bad data to the cache.)
The old stable distribution (etch) does not contain an unbound
package.
For the stable distribution (lenny), this problem has been fixed in
version 1.0.2-1+lenny1.
For the unstable distribution (sid) and the testing distribution
(squeeze), this problem has been fixed in version 1.3.4-1.
We recommend that you upgrade your unbound package.