ISC Response to Recent DNS Transaction ID Issues

In June of 2007, a problem regarding Transaction ID generation in BIND 9.4.1 (and prior) was reported to Internet Systems Consortium (ISC) engineers.

This flaw allowed remote attackers to insert incorrect information into caching DNS servers, causing what is known as "cache poisoning." In response, ISC released BIND 9.2.8-P1, 9.3.4-P1, and 9.4.1-P1

The code used in these releases corrects the issues seen in prior releases of BIND 9 by reusing "known code" from the BIND 8 distribution.

This was done to permit a timely response to the vulnerability without introducing major changes into the BIND 9 source code between major releases, shortening the release cycle significantly.

Following the release of BIND 9.2.8-P1, 9.3.4-P1, and 9.4.1-P1, questions were again raised as to the quality of the Transaction IDs generated by the new releases. Based on code review and internal discussion, ISC believes that attacks against the new Transaction ID generation code, while theoretical, are not feasible.

ISC feels that the issues with Transaction ID generation have been mitigated by the new code releases, and that major changes to the Transaction ID code can be safely delayed until the next major release of BIND. Additional changes are being discussed that will cover the theoretical cases that have been raised, and, if deemed necessary, will be found in future releases of BIND.

ISC would like to assure the Internet community that this is much less an issue of using "extremely weak crypto" as it has been described, than the use of a random number generator that did not provide sufficient randomness.

ISC recommends that caching servers running releases of BIND prior to BIND 9.2.8-P1, 9.3.4-P1, or 9.4.1-P1 be upgraded immediately due to the possibility of cache poisoning caused by a predictable Transaction ID.

Users running BIND 9.5.0 alpha should upgrade to the a6 release.

It should be noted that the cache poisoning attack represented in recent reports is only effective against caching servers that do not have the targeted information in cache at the time of the attack.

ISC would like to thank those in the community that brought the Transaction ID vulnerability to our attention, including Amit Klein of Trusteer.