CVE-2016-7074

Name of the Vulnerable Software and Affected Versions PowerDNS versions prior to 3.4.11 and 4.0.2 PowerDNS recursor versions prior to 4.0.4

Description The issue allows an attacker in a man-in-the-middle position to alter the content of an AXFR due to insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one leads to the possibility of parsing records that are not covered by the TSIG signature.

Recommendations For PowerDNS versions prior to 3.4.11, update to version 3.4.11 or later. For PowerDNS versions 3.4.11 through 4.0.2, update to version 4.0.2 or later. For PowerDNS recursor versions prior to 4.0.4, update to version 4.0.4 or later. As a temporary workaround, consider implementing additional validation checks for TSIG signatures to prevent alteration of AXFR content.