RRSIG query handling bug in BIND 9.7.1
If a query is made explicitly for a record of type 'RRSIG' to a validating recursive server running BIND 9.7.1 or 9.7.1-P1, and the server has one or more trust anchors configured statically and/or via DLV, then if the answer is not already in cache, the server enters a loop which repeatedly generates queries for RRSIGs to the authoritative servers for the zone containing the queried name. This rarely occurs in normal operation, since RRSIGs are already included in responses to queries for the RR types they cover, when DNSSEC is enabled and the records exist.
Risk assessment: We do not believe this bug to pose a significant operational risk. The versions of BIND affected are new, and constitute only a small part of the deployed base of DNS software in the world. Our continued internal review, and testing by an early adopter, found this issue before it was more widely deployed in production.
Upgrade BIND to 9.7.1-P2. If using 9.7.0, remain on 9.7.0-P2.
BIND 9.7.1-P2 reverses a change that was introduced in BIND 9.7.1. The change attempted to correct the behavior of a validating recursive resolver when explicitly queried for records of type 'RRSIG'. These queries do not occur in normal DNSSEC operation, because RRSIG records are ordinarily returned along with the records they cover. However, a type-RRSIG query can be used for manual testing purposes. As a result of the change in 9.7.1, if the cache did not contain any RRSIG records for the name, such a query would trigger an endless loop of recursive queries to the authoritative server. BIND 9.7.1-P2 backs out the change, restoring the behavior prior to 9.7.1, which was not entirely correct but not harmful. It will be properly fixed in a future release.
Acknowledgment: Thank you to Marco Davids of SIDN for testing and finding the issue.
Revision History: None
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC