"The most important affected program is ISC Bind, which is the
most widely used DNS server on the internet. A flaw in its
validation of signatures on DNSSEC replies means that the server
may be vulnerable to DNS spoofing attacks even where DNSSEC is in
use. Bind have released BIND 9.6.0-P1 this morning to fix this
bug.
"The common mistake is in the checking of return values from
functions in OpenSSL that check digital signatures. Programmers
have failed to allow for all the possible return values of the
EVP_VerifyFinal function, and as a result some cases where the
signature has not been successfully checked can be mistakenly
treated as successfully verified."