From: Mark Andrews (Mark_Andrewsisc.org)
Date: Wed Jan 24 2007 - 18:22:47 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                Internet Systems Consortium Security Advisory.
                        BIND 9: DNSSEC Validation
                             10 January 2007

Versions affected:

        BIND 9.0.x (all versions of BIND 9.0) (at end-of-life)
        BIND 9.1.x (all versions of BIND 9.1) (at end-of-life)
        BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7
        BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3
        BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1
             9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.0rc1
        BIND 9.5.0a1 (Bind Forum only)

Severity: Low
Exploitable: Remotely

Description:

        When validating responses to type * (ANY) queries that return
        multiple RRsets in the answer section it is possible to trigger
        assertions checks.

        To be vulnerable you need to have enabled dnssec validation in
        named.conf by specifying trusted-keys.

Workaround:

        Disable / restrict recursion (to limit exposure).
        Disable DNSSEC validation (remove all trusted-keys from named.conf).

Fix:

        Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2.
        Additionally this will be fixed in the upcoming BIND 9.5.0a2.

Note:

        It is recommended that anyone using DNSSEC upgrade to BIND 9.3
        as the DNSSEC implementation in BIND 9.2 has been obsoleted.

Revision History:
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrewsisc.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]