BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses

Summary: 
DNSSEC NSEC/NSEC3 validation code could cause bogus NXDOMAIN responses.
CVE: 
CVE-2010-0097
CERT: 
VU#360341
Posting date: 
19 Jan 2010
Program Impacted: 
BIND
Versions affected: 
9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P4, 9.5.0 -> 9.5.2-P1, 9.6.0 -> 9.6.1-P2
Severity: 
Low
Exploitable: 
remotely
Description: 

There was an error in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records proven by NSEC or NSEC3 to exist) to be cached as if they had validated correctly, so that future queries to the resolver would return the bogus NXDOMAIN with the AD flag set.

Impact:
This problem affects all DNSSEC-validating resolvers. It would be difficult to exploit due to other existing protections against cache poisoning (including transaction ID and source port randomization), but it could impair the ability of DNSSEC to protect against a denial-of-service attack on a secure zone.

Workarounds: 

None, administrators need to upgrade to one of the versions detailed below.

Active exploits: 
None known at this time.
Solution: 

Upgrade BIND to one of the following: 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3. There are no fixes available for BIND versions 9.0 through 9.3, as those releases are at End of Life. Note for BIND 9.7 beta-testers: pre-releases of 9.7.0 are vulnerable. Upcoming releases will include these patches.

Revision History:

None 

Questions should be addressed to bind9-bugs@isc.org.

Share this