Bugzilla – Bug 987869
VUL-0: CVE-2016-6171: knot: malicious primary DNS servers can crash secondaries
Last modified: 2016-08-04 07:54:48 UTC
via oss-sec http://seclists.org/oss-sec/2016/q3/19 "most DNS server implementations do not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server." from https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html > * [ For [LT] Secondary DNS Service ] > > See https://github.com/sischkg/xfer-limit > > Most of authoritative DNS server softwares do not have size limit of > zone transfer. He generated unlimited zone information at master > server, and transfered to slave servers. BIND 9, knot DNS and Power > DNS slave servers received unlimited zone informataion and died. > NSD slave DNS server received unlimited zone data and /tmp became full. > > He generated zone transfer size limit patch for BIND 9, Knot, NSD, > PowerDNS. Third party patches at https://github.com/sischkg/xfer-limit References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6171 http://seclists.org/oss-sec/2016/q3/20
openSUSE only.
bugbot adjusting priority
According to upstream and maintainer for opensuse (Ondrej Sury), this does not deserve attention it has (and should not have a CVE assigned). 'We believe that master and slave servers should have appropriate trust relationship.' [1] The bug is more like feature request and, if you want, feed it trough fate and we can consider update to 1.6.8 as soon as it is out. [1] https://lists.nic.cz/pipermail/knot-dns-users/2016-July/000915.html