Hi everybody, today, ANSSI has released their report on the issue. You can find it at http://www.ssi.gouv.fr/en/the-anssi/events/vulnerabilty-disclosure-the-infinitely-delegating-name-servers-idns-attack.html
Based on this, we realise our original announcement was missing one detail. The following text has been added to it: ======= Note that in addition to providing bad service, this issue can be abused to send unwanted traffic to an unwilling third party. Please see ANSSI's report for more information. ======= So, please update your Recursors, even if you only have a limited set of users - your machines may still be abused to DDoS unwilling third parties. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ On 08 Dec 2014, at 17:00 , Peter van Dijk <peter.van.d...@netherlabs.nl> wrote: > Hi everybody, > > Please be aware of PowerDNS Security Advisory 2014-02 > (http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/), which you > can also find below. The good news is that the currently released version of > the > PowerDNS Recursor is safe. The bad news is that users of older versions > will have to upgrade. > > PowerDNS Recursor 3.6.2, released late October, is in wide production use > and has been working well for our users. If however you have reasons not to > upgrade, the advisory below contains a link to a patch which applies to > older versions. > > Finally, if you have problems upgrading, please either contact us on our > mailing lists, or privately via powerdns.supp...@powerdns.com (should you > wish to make use of our SLA-backed support program). > > We want to thank Florian Maury of French government information security > agency ANSSI for bringing this issue to our attention and coordinating the > security release with us and other nameserver vendors. > > ## PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier > can be made to provide bad service > > * CVE: CVE-2014-8601 > * Date: 8th of December 2014 > * Credit: Florian Maury ([ANSSI](http://www.ssi.gouv.fr/en/)) > * Affects: PowerDNS Recursor versions 3.6.1 and earlier > * Not affected: PowerDNS Recursor 3.6.2; no versions of PowerDNS > Authoritative Server > * Severity: High > * Impact: Degraded service > * Exploit: This problem can be triggered by sending queries for specifically > configured domains > * Risk of system compromise: No > * Solution: Upgrade to PowerDNS Recursor 3.6.2 > * Workaround: None known. Exposure can be limited by configuring the > **allow-from** setting so only trusted users can query your nameserver. > > Recently we released PowerDNS Recursor 3.6.2 with a new feature that > strictly limits the amount of work we'll perform to resolve a single query. > This feature was inspired by performance degradations noted when resolving > domains hosted by 'ezdns.it', which can require thousands of queries to > resolve. > > During the 3.6.2 release process, we were contacted by a government security > agency with news that they had found that all major caching nameservers, > including PowerDNS, could be negatively impacted by specially configured, > hard to resolve domain names. With their permission, we continued the 3.6.2 > release process with the fix for the issue already in there. > > We recommend that all users upgrade to 3.6.2 if at all possible. > Alternatively, > if you want to apply a minimal fix to your own tree, it can be found > [here](https://downloads.powerdns.com/patches/2014-02/), including patches > for older versions. > > As for workarounds, only clients in allow-from are able to trigger the > degraded service, so this should be limited to your userbase.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Pdns-dev mailing list Pdns-dev@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-dev
