FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

BIND,Knot,NSD,PowerDNS -- denial over service via oversized zone transfers

Affected packages
bind99 <= 9.9.9P2
bind910 <= 9.10.4P2
bind911 <= 9.11.0.b2
0 <= bind9-devel
knot < 1.6.8
knot1 < 1.6.8
knot2 < 2.3.0
nsd < 4.1.11
powerdns < 4.0.1

Details

VuXML ID 7d08e608-5e95-11e6-b334-002590263bf5
Discovery 2016-07-06
Entry 2016-08-10

ISC reports:

DNS protocols were designed with the assumption that a certain amount of trust could be presumed between the operators of primary and secondary servers for a given zone. However, in current practice some organizations have scenarios which require them to accept zone data from sources that are not fully trusted (for example: providers of secondary name service). A party who is allowed to feed data into a zone (e.g. by AXFR, IXFR, or Dynamic DNS updates) can overwhelm the server which is accepting data by intentionally or accidentally exhausting that server's memory.

References

CVE Name CVE-2016-6170
CVE Name CVE-2016-6171
CVE Name CVE-2016-6172
CVE Name CVE-2016-6173
Message http://www.openwall.com/lists/oss-security/2016/07/06/4
URL https://kb.isc.org/article/AA-01390