We take security very seriously. If you have found a security issue in NSD, please submit a security report.
NSD time sensitive TSIG compare vulnerability
|Credit:||Ondrej Sury (ISC)|
|Affects:||NSD 4.1.22 and earlier versions|
|Not affected:||NSD 4.1.23 and later|
|Impact:||Potential key leakage|
|Solution:||Upgrade to NSD 4.1.23 or newer|
NSD uses TSIG to protect zone transfers. The TSIG code uses a secret key to protect the data. The secret key is shared with both sides of the zone transfer connection. The comparison code in NSD was not time insensitive, causing the potential for an attacker to use timing information to discover data about the key contents.
Denial of service via a zone transfer with unlimited data
|Affects:||NSD 4.1.10 and earlier versions|
|Not affected:||Other versions|
|Impact:||Denial of Service|
|Solution:||Upgrade to NSD 4.1.11 or newer|
NSD before 4.1.11 allows remote DNS master servers to cause a denial of service (/tmp disk consumption and slave server crash) via a zone transfer with unlimited data. size-limit-xfr was implemented in NSD 4.1.11 to stop it from downloading infinite zone transfer data size.