Internet Systems Consortium Security Advisory.

[Mark Andrews]

                Internet Systems Consortium Security Advisory.
                   BIND 9: Multiple DoS vulnerabilities
                            5 September 2006

Versions affected:
	BIND 9.3.0, BIND 9.3.1, BIND 9.3.2, BIND 9.3.3b1 and BIND 9.3.3rc1
	BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6 and
	     9.4.0b1.
	See note for BIND 9.2.x
Severity: HIGH
Exploitable: Remotely
Type: DoS

SIG Query Processing (CVE-2006-4095):

	Recursive servers:

	Queries for SIG records will trigger a assertion failure if
	more than one SIG(covered) RRset is returned.

	Exposure can be minimized by restricting sources that can
	ask for recursion.

	Authoritative servers:

	If a nameserver is serving a RFC 2535 DNSSEC zone and is
	queried for the SIG records where the are multiple SIG(covered)
	RRsets (e.g. a zone apex) then named will trigger a assertion
	failure when it trys to construct the response.

Excessive Recursive Queries INSIST failure (CVE-2006-4096):

	It is possible to trigger a INSIST failure by sending enough
	recursive queries that the response to the query arrives after
	all the clients looking for the response have left the recursion
	queue.

	Exposure can be minimized by restricting sources that can
	ask for recursion.

	Note for BIND 9.2.x:
	Code handling this path for 9.2.x has been determined to be wrong,
	though ISC has not been able to detect an execution path that would
	trigger the erroneous code in 9.2.x.
	Nonetheless a patch is provided.

Fix:
	Upgrade to BIND 9.4.0b2, BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1
	or BIND 9.2.6-P1 (or later).

	These can be found via: http://www.isc.org/sw/bind/