The NLnet NSD name server contains an authentication flaw that may allow unauthorized zone transfers due to improper validation of TLS client certificates.

This issue exists when a provide-xfr configuration utilizes tls-auth-name, where a secondary server requesting a transfer fails to provide the required client certificate. This results in a breakdown of the expected authentication handshake between primary and secondary name servers.

The failure to enforce proper certificate-based authentication for zone transfers poses a significant risk to DNS integrity. An attacker could potentially conduct unauthorized zone transfers, leading to sensitive information disclosure regarding internal network architecture and DNS records. With a CVSS score of 8.2, this vulnerability represents a high risk to the confidentiality and availability of DNS services.

Immediate Action: Update the NSD software to the latest version provided by the vendor to ensure proper TLS authentication enforcement.

Proactive Monitoring: Review DNS server logs for unexpected or unauthorized zone transfer requests, particularly those originating from untrusted or unknown secondary IP addresses.

Compensating Controls: Restrict access to zone transfer services at the network layer using firewall rules to permit only known and verified secondary server IP addresses.

Public Exploit Available: false

Given the critical role of DNS infrastructure, organizations should prioritize the identification and patching of affected NSD instances. Immediate verification of TLS configuration settings is advised to ensure that zone transfers are only permitted when valid, verified credentials are presented.