It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine. For the stable distribution , this problem has been fixed in version 9.3.4-2etch4. For the unstable distribution and the testing distribution , this problem will be fixed soon. We recommend that you upgrade your BIND packages.