icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

ISC BIND 9 Large RRSIG RRsets Negative Caching Remote DoS

Medium

Synopsis

The remote DNS server is vulnerable to a denial of service attack.

Description

The remote host is running Bind, a popular name server.

Versions of BIND 9.4 earlier than 9.4-ESV-R4-P1, 9.6 earlier than 9.6-ESV-R4-P1, 9.7 earlier than 9.7.3-P1, and 9.8 earlier than 9.8.0-P2 are potentially affected by a denial of service vulnerability. If BIND queries a domain with large RRSIG resource record sets it may trigger an assertion failure and cause the name server process to crash due to an off-by-one error in the buffer size check.

Solution

Upgrade to BIND 9.4-ESV-R4-P1 / 9.6-ESV-R4-P1, 9.7.3-P1, 9.8.0-P2, or later.