The CVE number for this vulnerability is CVE-2026-12490

== Summary
Secondaries authenticated by a client certificate to transfer a zone over TLS,
can bypass verification by transferring over TCP.


== Affected products
NSD up to and including version 4.14.2


== Description
When a "provide-xfr" is given with a "tls-auth-name", a secondary requesting a
transfer should provide a client certificate with that name. However, no client
certificate is needed when the request comes in over TLS over the regular
"tls-port" (and not the "tls-auth-port") or over over TCP over the regular port,
when the other conditions of the "provide-xfr" rule match.

The transfer security restrictions for client certificates can be bypassed
completely if the attacker can match the other access control conditions, and
the "tls-auth-xfr-only" option is not explicitly set to "yes" (which it by
default is not)


== Mitigation

=== Downloading patched version
NSD 4.14.3 is released with the patch
https://nlnetlabs.nl/downloads/nsd/nsd-4.14.3.tar.gz

=== Applying the patch manually
For NSD 4.14.2 the patch is:
https://nlnetlabs.nl/downloads/nsd/patch_CVE-2026-12490.diff

Apply the patch on the nsd source directory with:
    patch -p1 < patch_CVE-2026-12490.diff
then run 'make install' to install nsd.

The patch is tested to work on nsd 4.14.2.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.