Under heavy incoming TCP query loads named experiences a memory leak which may lead to significant reductions in query response performance. Additionally, this can trigger an automatic shutdown if named is running on a system that kills out-of-memory processes.
High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized.
After completing our analysis of the DNS exploit reported by Professor Haixin Duan of Tsinghua University, ISC has determined that the behavior he describes, while verifiable, is due to design issues
in the DNS protocol. No immediate steps are planned to address the issue. Further information concerning the implications of the reported vulnerability can be found in the complete problem description below.
Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))"
Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9.
ISC is actively investigating the root cause and has produced patches which prevent the crash. Further information will be made available soon.
