ISC Security Advisory: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND9

Cathy Almond cathya at
Tue Jul 24 17:45:07 UTC 2012

Note: This email advisory is provided for your information. The most up
to date advisory information will always be at:
please use this URL for the most up to date advisory information.

Title: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion
Failure in BIND9

Summary: High numbers of queries with DNSSEC validation enabled can
cause an assertion failure in named, caused by using a "bad cache" data
structure before it has been initialized.

CVE: CVE-2012-3817
Document Version: 2.0
Posting date: 24 July, 2012
Program Impacted: BIND 9
Versions affected:    9.6-ESV-R1 through 9.6-ESV-R7-P1; 9.7.1 through
9.7.6-P1; 9.8.0 through 9.8.3-P1; 9.9.0 through 9.9.1-P1.
Severity: Critical
Exploitable: Remotely


BIND 9 stores a cache of query names that are known to be failing due to
misconfigured name servers or a broken chain of trust. Under high query
loads when DNSSEC validation is active, it is possible for a condition
to arise in which data from this cache of failing queries could be used
before it was fully initialized, triggering an assertion failure.

This bug cannot be encountered unless your server is doing DNSSEC

Please Note: Versions of BIND 9.4 and 9.5 are also affected, but these
branches are beyond their "end of life" (EOL) and no longer receive
testing or security fixes from ISC. For current information on which
versions are actively supported, please see

CVSS Score: 7.8

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please

Workarounds: None

Solution: Upgrade to the patched release most closely related to your
current version of BIND. These can all be downloaded from

    BIND 9 version 9.9.1-P2
    BIND 9 version 9.8.3-P2
    BIND 9 version 9.7.6-P2
    BIND 9 version 9.6-ESV-R7-P2

Exploit Status: None known at this time

Acknowledgment: ISC would like to thank Einar Lonn of

Document Revision History:

    1.0 - 11 July, 2012 Phase 1 notice sent
    1.1 - 17 July, 2012 Phase 1 re-issued due to change in patch for
CVE-2012-3868 that affects 9.9.x only
    1.2 - 23 July, 2012 Phase 2 & 3 sent
    2.0 - 24 July, 2012 Phase 3 (Public) notified


- Do you have Questions? Questions regarding this advisory should go to
security-officer at

- ISC Security Vulnerability Disclosure Policy: Details of our current
security advisory policy and practice can be found here:

- Japanese Translation:
- Spanish Translation:
- German Translation:

This security advisory is also located in our KnowledgeBase:

See our BIND Security Matrix for a complete listing of Security
Vulnerabilites and versions affected.

Note: ISC patches only Currently supported versions. When possible we
indicate EOL versions affected.

If you'd like more information on our Forum or BIND/DHCP support please
visit or

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice
and none should be inferred. ISC expressly excludes and disclaims any
warranties regarding this notice or materials referred to in this
notice, including, without limitation, any inferred warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of non-infringement. Your use of, or reliance on, this
notice or materials referred to in this notice is at your own risk. ISC
may change this notice at any time.

A stand-alone copy or paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of date, or
contain factual errors.

More information about the bind-users mailing list