Wnoelll

**Name of the Vulnerable Software and Affected Versions** CoreDNS versions prior to 1.14.3 **Description** CoreDNS transport implementations for gRPC, QUIC, DoH, and DoH3 incorrectly handle TSIG (Transaction Signature) authentication, which is a mechanism used to authenticate DNS messages. In gRPC and QUIC transports, the server verifies if the TSIG key name exists in the configuration but fails to call the `dns.TsigVerify()` function to validate the HMAC (Hash-based Message Authentication Code). Consequently, any request with a valid key name is treated as authenticated, regardless of the MAC value. In DoH and DoH3 transports, the issue is more critical as the `DoHWriter.TsigStatus()` method unconditionally returns nil, and the server does not inspect the TSIG record. This allows any request containing a TSIG record to be treated as authenticated, even with an invalid key name and arbitrary MAC. An unauthenticated network attacker can exploit these flaws to bypass TSIG-protected functionality, such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behaviors. The exploitation bar is lower for DoH and DoH3 since a valid key name is not required. **Recommendations** Update to version 1.14.3. As a temporary workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required. Restrict network-level access to affected transport ports to trusted sources only.