RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.
Install 9.8.0-P1 or higher.
Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.
CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.
Do you have Questions? Questions regarding this advisory should go to email@example.com.
Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to firstname.lastname@example.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support
ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://www.isc.org/security-vulnerability-disclosure-policy
For more information about DNS RPZ, please check the following:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC