GHSA-H8MM-C463-WJQ3 CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass)

Summary CoreDNS' transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. A permissive parent-zone transfer rule can override a restrictive subzone rule name-dependent, allowing an unauthorized client to perform AXFR/IXFR for the subzone...

UBUNTU-CVE-2016-6171

Knot DNS before 2.3.0 allows remote DNS servers to cause a denial of service memory exhaustion and slave server crash via a large zone transfer for 1 DDNS, 2 AXFR, or 3 IXFR...

DEBIAN-CVE-2016-6170

ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service secondary DNS server crash via a large AXFR response, and possibly allows IXFR servers to cause a denial of service IXFR client crash via a large IXFR response...