trigger point for new bug

Gaurav Kansal gaurav.kansal at
Thu Nov 17 11:58:53 UTC 2011

Can you please explain What is the meaning of "INVALID RECORD"?????

Thanks and Regards,
Gaurav Kansal

-----Original Message-----
From: at
[ at] On Behalf Of
Michael McNally
Sent: Thursday, 17 November, 2011 2:50 AM
To: bind-users at
Subject: Re: trigger point for new bug

On 11/16/11 9:55 AM, Chris Brookes wrote:
> Any info on whether the newly announced bug can be triggered before 
> the query ACL is applied on a recursive only server? An authoritative 
> only server ought to be safe?

According to our best current understanding of the issue:

+  Authoritative-only nameservers should be safe and only
    recursing servers at risk.

+  From the security advisory we have posted on our website:
    ( )
    "An as-yet unidentified network event caused BIND 9 resolvers
    to cache an invalid record, subsequent queries for which could
    crash the resolvers with an assertion failure."

    Your server has to be servicing a query for the invalid cache
    data to pull the trigger on this.  That comes after the query
    ACL is applied.

Although that's somewhat better than "anyone, anywhere, can cause this to
happen to any server at any time", you should not rely on it, as it requires
little imagination to think how a user in your network might be enticed into
an action which caused them to issue a query for the malformed data.

Mitigation patches have been posted to the ISC web site which can prevent
the server from exiting when the invalid cache data is encountered.  We
strongly advise anyone running a recursing BIND 9 server to deploy them.

Michael McNally
ISC Support
Please visit to
unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list