Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 14 Feb 2024 07:10:26 +0100 (CET)
From: Otto Moerbeek <>
To: "" <>
Subject: PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a
 zone can lead to a denial of service in Recursor

We have released PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2.

   These releases fix PowerDNS Security Advisory 2024-01: crafted DNSSEC
   records in a zone can lead to a denial of service in Recursor. The
   Advisory follows:

PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead
to a denial of service in Recursor

     * CVE: CVE-2023-50387 and CVE-2023-50868
     * Date: 13th of February 2024.
     * Affects: PowerDNS Recursor up to and including 4.8.5, 4.9.2 and
     * Not affected: PowerDNS Recursor 4.8.6, 4.9.3 and 5.0.2
     * Severity: High
     * Impact: Denial of service
     * Exploit: This problem can be triggered by an attacker publishing a
       crafted zone
     * Risk of system compromise: None
     * Solution: Upgrade to patched version or disable DNSSEC validation

   An attacker can publish a zone that contains crafted DNSSEC related
   records. While validating results from queries to that zone using the
   RFC mandated algorithms, the Recursor√Ęs resource usage can become so
   high that processing of other queries is impacted, resulting in a
   denial of service. Note that any resolver following the RFCs can be
   impacted, this is not a problem of this particular implementation.

   CVSS Score: 7.5, see

   The remedies are one of:

     * upgrade to a patched version
     * disable DNSSEC validation by setting dnssec=off or
       process-no-validate; when using YAML settings: dnssec.validate: off
       or process-no-validate. Note that this will affect clients
       depending on DNSSEC validation.

   We would like to thank Elias Heftrig, Haya Schulmann, Niklas Vogel, and
   Michael Waidner from the German National Research Center for Applied
   Cybersecurity ATHENE for bringing CVE-2023-50387 to the attention of
   the DNS community and especially Niklas Vogel for his assistance in
   validating the patches. We would also like to thank Petr Spacek from
   ISC for discovering and responsibly disclosing CVE-2023-50868.

   Please refer to the changelogs  (4.8.6[3], 4.9.3[4] and 5.0.2[5]) and
   upgrade guide for additional details. The upgrade guide describes one
   known issue related to the zoneToCache function.

   Please send us all feedback and issues you might have via the mailing
   list[6], or in case of a bug, via GitHub[7].

   The tarballs (4.8.6[8], 4.9.3[9], 5.0.2[10]) (with signature files
   4.8.6[11], 4.9.3[12], 5.0.2[13]) are available from our
   download server[14] and packages for several distributions are
   available from our repository[15].

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.


   1. file:///Users/otto/pdns/pdns/recursordist/html-docs/security-advisories/powerdns-advisory-2024-01.html#powerdns-security-advisory-2024-01-crafted-dnssec-records-in-a-zone-can-lead-to-a-denial-of-service-in-recursor


kind regards,
Otto Moerbeek
Senior Developer PowerDNS 

Phone: +49 2761 75252 00 Fax: +49 2761 75252 30

Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366 
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin 
Chairman of the Board: Richard Seibt 
PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt

Download attachment "signature.asc" of type "application/pgp-signature" (476 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.