Replies: 1 comment
-
Locking discussion to stop spam bots. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Xiang Li from Network and Information Security Lab, Tsinghua University discovered a way where “Ghost domains” could stay in the cache longer than max_ttl allows. I have integrated some measures to minimize the impact of these issues so that caching can not be abused to keep a rogue domain, already deleted upstream, cached for an inordinate amount of time.
The attacks require an attacker who can perform queries against a recursive instance of Deadwood. The only impact is that entries may be cached longer than desired.
This issue was fixed in Deadwood 3.5.0022 (git commit f43254b) released on May 7, 2022, and in Deadwood 3.4.03 (non-Git legacy branch) released on August 3, 2022. To allow other DNS server developers ample time to fix and patch the issue, I kept a 90-day embargo. I made the issue public on August 1, 2022, after working with other DNS implementors and getting the green light from them first.
CVE number: CVE-2022-30256
Impact: Records can be kept cached longer than desired
Beta Was this translation helpful? Give feedback.
All reactions