Bugzilla – Bug 790
A master can kill a NSD slave with infinite zones
Last modified: 2016-07-06 16:30:56 CEST
There has been a public report http://dnsops.jp/event20160624.html https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html that a rogue master can kill a NSD slave by sending unlimited zone data during a zone transfer. With NSD, /tmp becomes full.
A tool to implement the attack is https://github.com/sischkg/xfer-limit It also includes a proposed patch to NSD.
Thank you for the bug entry, I had not spotted this yet!
Applied the patch (I think it is from Toshifumi Sakaguchi (sischkg on github)). (added small fixes and documentation to it).
I cannot think of a good default value for it, so I'll leave that at the suggested 0 (unlimited).
Best regards, Wouter
For the record, this is apparently CVE-2016-6173