Updated Security Advisory: BIND 9.4-ESV-R4-P1 is now available.

Larissa Shapiro larissas at isc.org
Fri May 27 13:26:03 UTC 2011

Change: BIND 9.4-ESV-R4-P1  is now available.

Title: Large RRSIG RRsets and Negative Caching can crash named.

Summary: A BIND 9 DNS server set up to be a caching resolver is
vulnerable to a user querying a domain with very large resource record
sets (RRSets) when trying to negatively cache a response. This can cause
the BIND 9 DNS server (named process) to crash.

Document ID: CVE-2011-1910

Posting date: 26 May 2011

Program Impacted: BIND

Versions affected: 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3,
9.7.1 and later, 9.8.0 and later

Severity: High

Exploitable: Remotely

CVSS Score: Base 7.8


For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:


DNS systems use negative caching to improve DNS response time. This will
keep a DNS resolver from repeatedly looking up domains that do not
exist. Any NXDOMAIN or NODATA/NOERROR response will be put into the
negative cache.

The authority data will be cached along with the negative cache
information. These authoritative "Start of Authority" (SOA) and
NSEC/NSEC3 records prove the nonexistence of the requested name/type. In
DNSSEC, all of these records are signed; this adds one additional RRSIG
record, per DNSSEC key, for each record returned in the authority
section of the response.

In this vulnerability, very large RRSIG RRsets included in a negative
cache can trigger an assertion failure that will crash named (BIND 9
DNS) due to an off-by-one error in a buffer size check.

The nature of this vulnerability would allow remote exploit. An attacker
can set up an DNSSEC signed authoritative DNS server with a large RRSIG
RRsets to act as the trigger. The attacker would then find ways to query
an organization's caching resolvers, using the negative caches and the
"trigger" the vulnerability. The attacker would require access to an
organization's caching resolvers. Access to the resolvers can be direct
(open resolvers), through malware (using a BOTNET to query negative
caches), or through driving DNS resolution (a SPAM run that has a domain
in the E-mail that will cause the client to do look up a negative cache).

Workarounds: Restricting access to the DNS caching resolver
infrastructure will provide partial mitigation. Active exploitation can
be accomplished through malware or SPAM/Malvertizing actions that will
force authorized clients to look up domains that would trigger this


Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2

Exploit Status: High. This issue has caused unintentional outages.

US CERT is tracking this issue with INC000000152411.


Thanks to Frank Kloeker and Michael Sinatra for getting the details to
this issue to the DNS Operations community and to Michael Sinatra, Team
Cmyru, and other community members for testing.

Revision History: Added the 9.4-ESV-R4-P1 download. 2011-May-27

Questions regarding this advisory should go to security-officer at isc.org.
Questions on ISC's Support services or other offerings should be sent to
sales at isc.org. More information on ISC's support and other offerings are
available at: http://www.isc.org/community/blog/201102/BIND-support

Larissa Shapiro
Internet Systems Consortium Product Manager
Technology Leadership for the Common Good
+1 650 423 1335

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110527/caefc003/attachment.html>

More information about the bind-users mailing list