ISC acts quickly to shield BIND user base

08 Jul 2008

Redwood City, CA - Internet Systems Consortium (ISC) released several fixes for BIND9 in response to the United States Computer Emergency Readiness Team (US-CERT) Vulnerability notice number 800113 regarding a DNS Cache Poisoning Issue. The basis for the vulnerability is inherent in the DNS protocol and not a flaw specific to BIND9, the leading s oftware implementation of the DNS protocol written and distributed by ISC.

"Immediate action is required to address this threat" stated Dan Kaminsky, director of Penetration Testing at IOActive. This vulnerability was discovered by Kaminsk y, renowned Internet Security expert, during his ongoing Internet penetration security testing. "ISC has been very responsive and supportive since being made aware of the issue. They have also facilitated conversations with other infrastructure vendors to respond in a coordinated manner."

The DNS protocol uses the Query ID field to match incoming responses to previously sent queries. The query ID field is only 16 bits which makes it an easy target to exploit, in the particular scenario discovered by Kaminsky. In addition to patches for the current versions of BIND9, ISC has also released beta versions of upcomi ng maintenance releases, BIND 9.5.1b1 and BIND 9.4.3b1, for testing.

"DNSSEC is the only definitive solution for this threat. Having been part of the development of DNSSEC since the beginning, we understand better than most that imme diate DNSSEC deployment is not a realistic expectation" commented Paul Vixie, president of ISC. "The patches released by ISC today improve the resilience of BIND to this attack but are only a workaround. We are redoubling our efforts to make DNSSEC a real option in the near-term."

Additional information and resources about this vulnerability and DNSSEC can be found at the following locations, VU#800113 , and  DNSSEC and BIND articles .

About ISC Internet Systems Consortium (ISC):

ISC is a non-profit, 501(c)(3) public benefit corporation with a long history of developing and maintaining the production quality Open Source software - BIND and DHCP. ISC has increased its focus to include enhancing the stability of the global DNS directly through reliable F-root nameserver operations and ongoing o peration of a DNS crisis coordination center, ISC's OARC for DNS. ISC is also engaged with further protocol development efforts, particularly in the areas of DNS ev olution and facilitating the transition to IPv6. ISC is supported by the donations of generous sponsors, program membership fees and specific fees for services. For program or donation information, please visit our website at https://www.isc.org

Media Contact: Laura Hendriksen, (+1)650/423-1309, laura_hendriksen@isc.org
Technical Contact: Joao Damas, (+1)650/423-1312, joao_damas@isc.org

Share this