BIND 9.7.1-P2 is now available.
Larissa Shapiro
larissas at isc.org
Thu Jul 15 19:32:17 UTC 2010
BIND 9.7.1-P2 is now available.
BIND 9.7.1-P2 is a SECURITY PATCH for BIND 9.7.1.
BIND 9.7.1-P2 reverses a change that was introduced in BIND 9.7.1.
Security Advisory Regarding: RRSIG query handling bug in BIND 9.7.1
CVE# TBA
VU# 211905
Posting date: July 14, 2010
Program Impacted: BIND
Versions affected: 9.7.1, 9.7.1-P1
Severity: High
Exploitable: remotely
Description:
If a query is made explicitly for a record of type
'RRSIG' to a validating recursive server running BIND 9.7.1 or
9.7.1-P1, and the server has one or more trust anchors configured
statically and/or via DLV, then if the answer is not already in cache,
the server enters a loop which repeatedly generates queries for RRSIGs
to the authoritative servers for the zone containing the queried
name. This rarely occurs in normal operation, since RRSIGs are already
included in responses to queries for the RR types they cover, when
DNSSEC is enabled and the records exist. However, the potential for
deliberate use of this bug must also be taken into account, which is
why ISC is preparing a patch for distribution as soon as possible.
Fix: BIND 9.7.1-P2 reverses a change that was introduced in BIND 9.7.1.
The change attempted to correct the behavior of a validating recursive
resolver when explicitly queried for records of type 'RRSIG'. These
queries do not occur in normal DNSSEC operation, because RRSIG records
are ordinarily returned along with the records they cover. However,
a type-RRSIG query can be used for manual testing purposes. As a
result of the change in 9.7.1, if the cache did not contain any
RRSIG records for the name, such a query would trigger an endless
loop of recursive queries to the authoritative server.
BIND 9.7.1-P2 backs out the change, restoring the behavior prior to
9.7.1, which was not entirely correct but not harmful. It will be
properly fixed in a future release.
Risk assessment: We do not believe this bug to pose a significant
operational risk. The versions of BIND affected are new, and
constitute only a small part of the deployed base of DNS software in the
world. Our continued internal review, and testing by an early
adopter, found this issue before it was more widely deployed in
production.
Workarounds:
None, administrators need to upgrade using the patch that will be
available by 12:00 noon Pacific Daylight Time, July 15 2010.
Active exploits: None known.
Solution:
Upgrade BIND to 9.7.1-P2. If using 9.7.0, remain on 9.7.0-P2.
Revision History: None
Acknowledgement: Thank you to Marco Davids of SIDN for testing and
finding the issue.
Please refer any questions you might have to
security-officer at isc.org, or bind9-bugs at isc.org
BIND 9.7.1-P2 is now available.
BIND 9.7.1-P2 is a SECURITY PATCH for BIND 9.7.1.
BIND 9.7.1-P2 reverses a change that was introduced in BIND 9.7.1.
The change attempted to correct the behavior of a validating recursive
resolver when explicitly queried for records of type 'RRSIG'. These
queries do not occur in normal DNSSEC operation, because RRSIG records
are ordinarily returned along with the records they cover. However,
a type-RRSIG query can be used for manual testing purposes. As a
result of the change in 9.7.1, if the cache did not contain any
RRSIG records for the name, such a query would trigger an endless
loop of recursive queries to the authoritative server.
BIND 9.7.1-P2 backs out the change, restoring the behavior prior to
9.7.1, which was not entirely correct but not harmful. It will be
properly fixed in a future release.
BIND 9.7.1-P2 can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz
The PGP signature of the distribution is at
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz.sha512.asc
The signature was generated with the ISC public key, which is
available at <https://www.isc.org/about/openpgp>.
A binary kit for Windows XP and Window 2003 is at
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip
The PGP signature of the binary kit for Windows XP and Window 2003 is at
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip.sha512.asc
Changes since 9.7.1-P1:
--- 9.7.1-P2 released ---
2931. [security] Temporarily and partially disable change 2864
because it would cause inifinite attempts of RRSIG
queries. This is an urgent care fix; we'll
revisit the issue and complete the fix later.
[RT #21710]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-workers/attachments/20100715/a873715f/attachment.html>
More information about the bind-workers
mailing list