http://bugzilla.opensuse.org/show_bug.cgi?id=987873 Bug ID: 987873 Summary: VUL-0: CVE-2016-6173: nsd: malicious primary DNS servers can crash secondaries Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: All Status: NEW Severity: Major Priority: P5 - None Component: 3rd party software Assignee: mrueckert@suse.com Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: mrueckert@suse.com Found By: Security Response Team Blocker: --- Courtesy bug from the SUSE security team for server:dns/nsd via oss-sec http://seclists.org/oss-sec/2016/q3/19 "most DNS server implementations do not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server." from https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html

* [ For [LT] Secondary DNS Service ]

See https://github.com/sischkg/xfer-limit

Most of authoritative DNS server softwares do not have size limit of zone transfer. He generated unlimited zone information at master server, and transfered to slave servers. BIND 9, knot DNS and Power DNS slave servers received unlimited zone informataion and died. NSD slave DNS server received unlimited zone data and /tmp became full.

He generated zone transfer size limit patch for BIND 9, Knot, NSD, PowerDNS.

Third party patches at https://github.com/sischkg/xfer-limit References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6173 http://seclists.org/oss-sec/2016/q3/20 -- You are receiving this mail because: You are on the CC list for the bug.