BIND 8.2.4 vulnerability scope

Mike Mitchell Mike.Mitchell at
Wed Jan 3 15:09:59 UTC 2007

Even though BIND 8 is dead, it supports the 'rrset-order fixed'
option and BIND 9 does not.

While the support for the 'rrset-order fixed' option has been
added to BIND 9.4, 9.4 does not have an official release.  It
is in 'release candidate' state.

If you require 'rrset-order fixed;', like I do, then you're
stuck with BIND 8 until an official release of BIND 9.4.
I use BIND 8.4.7, released in December of 2005.

I am running BIND 9.4.0RC1 on a few test name servers and so
far I haven't had a problem.

Mike Mitchell
SAS Institute Inc.
Mike.Mitchell at
(919) 531-6793

-----Original Message-----
From: bind-users-bounce at [mailto:bind-users-bounce at] On Behalf Of Mark Andrews
Sent: Tuesday, January 02, 2007 6:18 PM
To: Darren Spruell
Cc: bind-users at
Subject: Re: BIND 8.2.4 vulnerability scope 

> I've identified a bind 8.2.4 installation for which we are determining
> options for updating or remediating vulnerabilities. According the to
> the BIND vulnerability matrix, 8.2.4 is listed as vulnerable to a
> number of attacks, including, "libbind", "DoS_multi", "sigrec" and
> "negcache." From what I can tell, each of these relates to a flaw in
> handling of answers to recursive queries.
> Question is, is disabling recursion on the affected host enough to
> mitigate all known vulnerabilities against this software version, or
> do any of the known flaws work via non-recursive queries as well?
> Also, is the community aware of any holes in this version of the
> software that may not have made it into the vulnerability matrix that
> would warrant an update as well?
> I realize that the short answer is "just update" but the client likes
> to have the option of workarounds where possible.
> Thanks in advance,
> DS

	BIND 8 is dead.  The only part of BIND 8 that gets updated
	these days is libbind and that is shipped as part of BIND 9.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at

More information about the bind-users mailing list