Fix for CVE-2006-2073

Mark Andrews marka at
Wed Oct 19 00:32:48 UTC 2011

In message <87k482kw0l.fsf at>, Florian Weimer writes:
> I've noticed that nobody seems to have accurate information about
> CVE-2006-2073 on file.  This was a vulnerability in handling
> TSIG-based authentication *after* authentication, so it wasn't a high
> priority issue.

Actually it required the target server to be configured as a slave
to a custom built rogue master or for the attacker be in a position
to intercept the AXFR/IXFR request to a non compromised master.  It
also required that TSIG not be being used to authenticate the
AXFR/IXFR request.

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type:Allows disruption of service

I fail to see how this could ever have been classified as
Access Complexity: Low.

Looking at the CVE it looks like this bug fix contains the correction.

2013.   [bug]           Handle unexpected TSIGs on unsigned AXFR/IXFR
                        responses more gracefully. [RT #15941]

> What was the first BIND version that fixed it?

9.2.7, 9.3.3, 9.4.0.

> _______________________________________________
> Please visit to unsubscribe
>  from this list
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list