Re: CVE Request - OpenStack Designate mDNS DoS through incorrect handling of large RecordSets

[Kiall Mac Innes <kiall () macinnes ie>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 28/07/15 19:57, cve-assign () mitre org wrote:
> > https://launchpad.net/bugs/1471161
>
> > Designate does not enforce the DNS protocol limit concerning
> > record set sizes
>
> > As a result, the rendering loop in desginate-mdns can does not
> > make progress
>
> > Because it keeps receiving data, it does not seem it will ever
> > run into a timeout (and if it does, it will try again).
>
> > https://bugs.launchpad.net/designate/+bug/1471161/comments/5
>
> > I think there is 2 parts to this bug:
>
> > 1: Quotas were being bypassed as part of the v1 API. 2. If there
> > was enough RRs in a RRSet MiniDNS went into a loop. 3. MiniDNS
> > does not have a timeout.
>
> Our current feeling is that it is best to have two CVE IDs: one
> for the original "does not enforce the DNS protocol limit
> concerning record set sizes" issue and one for the "Quotas were
> being bypassed" issue. Is that OK?

Yes, this is OK.

> [SNIP]
>
> We feel that item 3, adding a timeout, can be considered a
> security enhancement opportunity that should not have its own CVE
> ID, i.e., there is no report of a vulnerability that can be fixed
> only with a timeout.

Agreed.

> Finally, our understanding is that multiple names are being used to
> refer to the general 
> https://wiki.openstack.org/wiki/Designate/Blueprints/MiniDNS
> concept, i.e., we think "MiniDNS does not have a timeout" is an
> observation about the Designate codebase, not a third-party DNS
> server such as from the https://code.google.com/p/minidns/ site.
> Also, we think this part of the Designate codebase is also called
> designate-mdns (misspelled as desginate-mdns) and mDNS -- these are
> essentially alternative names for Designate MiniDNS.

Interesting, https://code.google.com/p/minidns/ is project I've not
seen before. Within OpenStack Designate, we typically refer to the
`designate-mdns` service as either MiniDNS or mDNS, we will need to
ensure we're clearer in our wording in future to avoid any possible
confusion.

Thanks,
Kiall
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVt9RIAAoJEHuWgzsGpgIa4igIAL4eiWoGF9ca5Cw4nlmQqZoe
ZNnDJCI9JnAj87FOj7wVep8mM1RvD6dSmyfKeixp6ounAMCtaVoOtQa2oF+Gxqk0
A3nAgRCKWMKr6awmlN5FClLoX8oHg88iIOv8hE45RqjUaXat1dHvPog1YBxN6Ud0
Sx/IOaCWKHJIi/wJdwmNLbIP573tFhL0Hfw+m6AIiuRL495F7Umvqdb1nMHR/wfl
/bwiTwfX3yD0q/kZAEZux23zBCOZEv24C9ups6LEP5un2G0w8P97VQdGDRhzddls
EQstl/2gxR6yOPWV9f4MFxeVlEohHT5MZ5gvNio+7zzCJC5T9kSHGHDoe00LV5c=
=BHnN
-----END PGP SIGNATURE-----