oss-sec mailing list archives

Malicious primary DNS servers can crash secondaries

From: Florian Weimer <fweimer () redhat com>
Date: Wed, 6 Jul 2016 12:10:19 +0200

It turns out that most DNS server implementations do not implementreasonable restrictions for zone sizes. This allows an explicitlyconfigured primary DNS server for a zone to crash a secondary DNSserver, affecting service of other zones hosted on the same secondaryserver.


Some references:

https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html
https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015075.html
https://gitlab.labs.nic.cz/labs/knot/merge_requests/541
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790

PowerDNS is reportedly affected as well, but I did not find a public bugfor this issue.


Florian

Current thread:

Malicious primary DNS servers can crash secondaries Florian Weimer (Jul 06)
- Re: Malicious primary DNS servers can crash secondaries cve-assign (Jul 06)
- Re: Malicious primary DNS servers can crash secondaries Remi Gacogne (Jul 07)