We take security very seriously. If you have found a security issue in NSD, please submit a security report.

NSD time sensitive TSIG compare vulnerability

Credit:Ondrej Sury (ISC)
Affects:NSD 4.1.22 and earlier versions
Not affected:NSD 4.1.23 and later
Impact:Potential key leakage
Solution:Upgrade to NSD 4.1.23 or newer

NSD uses TSIG to protect zone transfers. The TSIG code uses a secret key to protect the data. The secret key is shared with both sides of the zone transfer connection. The comparison code in NSD was not time insensitive, causing the potential for an attacker to use timing information to discover data about the key contents.

Denial of service via a zone transfer with unlimited data

Credit:Toshifumi Sakaguchi
Affects:NSD 4.1.10 and earlier versions
Not affected:Other versions
Impact:Denial of Service
Solution:Upgrade to NSD 4.1.11 or newer

NSD before 4.1.11 allows remote DNS master servers to cause a denial of service (/tmp disk consumption and slave server crash) via a zone transfer with unlimited data. size-limit-xfr was implemented in NSD 4.1.11 to stop it from downloading infinite zone transfer data size.