[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Ralf Weber dns at fl1ger.de
Wed Feb 17 12:14:00 UTC 2016


Moin!

On 17 Feb 2016, at 12:27, Tony Finch wrote:

> Florian Weimer <fw at deneb.enyo.de> wrote:
>>
>> But it's certainly true there aren't any good network-side mitigation
>> options.
>
> It might be reasonable to limit the size of A and AAAA RRsets to somewhat
> less than 2KB :-) But right now it's easier (with the software I'm
> running) to fix glibc than add the necessary nameserver feature :-/
It all depends of the software you are using ;-). And while it is possible
to implement such a policy with our (Nominum) software and possibly others
I would still advise against using it, as it is possible to create A and 
AAAA records of that size easily. I've actually seen such large records, 
but they were either part of purpose build amplification domains or DNS
tunnels. But one never knows what DNS usages the future brings.

So long
-Ralf



More information about the dns-operations mailing list