trigger point for new bug

Michael McNally mcnally at
Wed Nov 16 21:20:17 UTC 2011

On 11/16/11 9:55 AM, Chris Brookes wrote:
> Any info on whether the newly announced bug can be triggered before
> the query ACL is applied on a recursive only server? An authoritative
> only server ought to be safe?

According to our best current understanding of the issue:

+  Authoritative-only nameservers should be safe and only
    recursing servers at risk.

+  From the security advisory we have posted on our website:
    ( )
    "An as-yet unidentified network event caused BIND 9 resolvers
    to cache an invalid record, subsequent queries for which could
    crash the resolvers with an assertion failure."

    Your server has to be servicing a query for the invalid cache
    data to pull the trigger on this.  That comes after the query
    ACL is applied.

Although that's somewhat better than "anyone, anywhere, can cause
this to happen to any server at any time", you should not rely on
it, as it requires little imagination to think how a user in your
network might be enticed into an action which caused them to issue
a query for the malformed data.

Mitigation patches have been posted to the ISC web site which can
prevent the server from exiting when the invalid cache data is
encountered.  We strongly advise anyone running a recursing BIND 9
server to deploy them.

Michael McNally
ISC Support

More information about the bind-users mailing list