On Thu, Feb 26, 2009 at 3:34 PM, Matthew Dempsky <matthew@xxxxxxxxxxx> wrote: > Some caveats: this bug only affects domains that serve DNS content > using tinydns and axfrdns (only for DNS queries over TCP; clients do > not need AXFR permissions) from djbdns 1.05 and allow untrusted users > to include arbitrary records (at least about 100 records, totalling > about 30KB of space) within some zone. > > In summary: if you use tinydns/axfrdns from djbdns 1.05 to serve > authoritative DNS content and give untrusted users control over > records you serve, I strongly suggest you install this patch. I don't > believe other users are at risk, but they are encouraged to install > this patch as well to be safe. There was a request for clarification about this on the djbdns mailing list, so I thought I should include it here: this bug affects dnscache as well, but I do not think dnscache can be exploited using it. Rationale: exploiting this bug in tinydns/axfrdns required forcing djbdns to misformat a name in the owner position of the record, which can be done using additional section processing. dnscache doesn't do additional section processing, and there are at most 16 CNAME records preceding the answer records (which even assuming no name compression could not take up more than about 8000 bytes of space). Therefore, if an owner name is compressible, any previous occurrences will necessarily have been within the first 16384 bytes of the packet. It's possible for dnscache and tinydns/axfrdns to mangle names in the record data sections, but the rdlength fields will still be correct, so reasonable parsers should be protected. I know the packet parsers in djbdns are safe from this, but I can imagine other parser implementations that wouldn't handle this safely. (Hence why I encourage everyone to install the patch to be safe.)
