BIND, DHCP, and CVE-2014-0160 (the OpenSSL "Heartbleed" bug)

Michael McNally mcnally at
Fri Apr 11 07:47:42 UTC 2014

Earlier this week, the OpenSSL project ( announced
CVE-2014-0160, disclosing a very serious security flaw in the OpenSSL
library, affecting versions 1.0.1 and 1.0.2-beta (including OpenSSL
1.0.1f and 1.0.2-beta1)  In many stories, this vulnerability is being
referred to as the "Heartbleed" bug.

Because ISC products can be built to link against OpenSSL libraries,
users of BIND 9 and ISC DHCP have asked us to clarify whether or not
their systems are at risk due to CVE-2014-0160.  Rather than answer
questions individually, we hope that this will clarify the matter for
our users and reassure them that their services are safe from this
security vulnerability.

   1)  Is BIND vulnerable?

       After consulting with our developers, we are pleased
       to report that BIND 9 does not make use of the vulnerable
       parts of the OpenSSL libraries, so BIND services are NOT
       at risk from CVE-2014-0160.

   2)  Is ISC DHCP vulnerable?

       ISC DHCP does not use the affected parts of the OpenSSL
       library, either.  ISC DHCP services are not at risk from

   3)  What about Windows binary packages?

       For the benefit of Windows users, ISC provides installable
       binary distributions of BIND 9 for those who wish to run it
       on Windows servers.  At the time of this message, the most
       recent Windows binary distributions include vulnerable
       versions of the OpenSSL shared libraries.  These shared
       library files are safe for use with BIND 9 because BIND
       does not use the flawed parts of the library, but operators
       should not use the provided libraries with other applications.
       Future versions of the Windows binary distributions will
       include updated OpenSSL libraries with the security issues
       fixed, but we have no current plans to release emergency
       security releases for Windows because the libraries provided
       are safe for BIND 9.

Michael McNally
ISC Support

More information about the bind-users mailing list