pdns-recursor is vulnerable to denial of service. A remote attacker is able to cause the cached records for a given name to be updated to the Bogus DNSSEC validation state instead of their actual DNSSEC Secure state via a DNS ANY query, resulting in a denial of service condition for the installation that performs validate (dnssec=validate), and for clients requesting validation when on-demand validation is enabled (dnssec=process).