Skip to content

Auto-port 5.0: Dns: Insufficient Bailiwick Validation for NS Records#16899

Merged
chrisvest merged 1 commit into
5.0from
auto-port-pr-16877-to-5.0
Jun 4, 2026
Merged

Auto-port 5.0: Dns: Insufficient Bailiwick Validation for NS Records#16899
chrisvest merged 1 commit into
5.0from
auto-port-pr-16877-to-5.0

Conversation

@netty-project-bot

Copy link
Copy Markdown
Contributor

Auto-port of #16877 to 5.0
Cherry-picked commit: 6f19adf


Motivation:

Netty's DnsResolveContext insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like .co.uk).

Modifications:

  • Add correct Bailiwick checks when caching NS.
  • Adjust tests

Result:

No more risk of cache poising

Motivation:

Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS
records, enabling DNS Cache Poisoning. An attacker controlling an
authoritative name server for a subdomain can poison the cache for
parent domains (like `.co.uk`).

Modifications:

- Add correct Bailiwick checks when caching NS.
- Adjust tests

Result:

No more risk of cache poising

(cherry picked from commit 6f19adf)
@chrisvest chrisvest added this to the 5.0.0.Final milestone Jun 2, 2026
@chrisvest chrisvest merged commit 3ade2f6 into 5.0 Jun 4, 2026
11 of 13 checks passed
@chrisvest chrisvest deleted the auto-port-pr-16877-to-5.0 branch June 4, 2026 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants