CVE-2022-2795
Greg Choules
gregchoules+bindusers at googlemail.com
Wed Oct 19 08:43:19 UTC 2022
Hi Greg.
Short answer: no.
Slightly less short answer: no, if you prevent the server from trying to
follow delegations. It's that potentially wild goose chase that was the
problem.
In short:
- Forwarding must cover everything the server needs to do (that isn't
locally defined) i.e. global forwarding.
- Along with "forwarders {x;y;z;};" also configure "forward only;" to tell
the server not to chase down delegations, should forwarding fail for some
reason.
If it's *only* forwarding it won't need to try and follow any NS records
it might receive; goose chase avoided.
Hope that helps.
Greg
On Tue, 18 Oct 2022 at 19:46, Greg Rabil <Greg.Rabil at cygnalabs.com> wrote:
> Hi bind-users,
>
> This vulnerability was recently fixed in BIND 9.16.33:
>
>
>
> CVE-2022-2795: Processing large delegations may severely degrade resolver
> performance
>
>
>
> Question: Would a server that is configured to forward all queries be
> impacted by this issue?
>
>
>
> Thanks,
>
> Greg
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221019/607f8c49/attachment.htm>
More information about the bind-users
mailing list