Search DNSSEC Blog


Friday, May 27, 2011

DNSSEC signature can crash Bind name servers

"Where a Bind name server is set up as a caching resolver, it is vulnerable to DoS attacks which could cause it to crash. ISC describes the issue in its advisory Large RRSIG RRsets and Negative Caching can crash named and categorises the problem, which can be triggered remotely, as 'high' severity.

The DNSSEC extension plays a key role in the latest security problem to hit the widely used name server. It appears that the internal memory manager can become confused when it has to cache signed entries for non-existent domains. ISC's Larissa Shapiro has confirmed to The H's associates at heise Security that servers which do not themselves offer DNSSEC functionality are also vulnerable.

According to ISC, to exploit the bug an attacker must be running a DNSSEC-signed authority server for a domain. He would then be able to induce DNS lookups for non-existent names on that domain (for example by sending out spam), which would trigger the bug on the vulnerable name server. Versions 9.4-ESV-R3, 9.6-ESV-R2, 9.6.3, 9.7.1, 9.8.0 and earlier are all affected. ISC has released updates which should fix the problem."

Source: Retrieved on May 27, 2011 from


Monday, May 9, 2011

BIND Update Patches Security Flaw

The Internet Systems Consortium (ISC) recently released Update 9.8.0-P1 for its BIND DNS server, which closes a potential denial of service vulnerability.
"Signed server replies (RRSIG) can cause a BIND server to crash under certain circumstances," The H Security reports. "ISC says that the vulnerability only occurs, however, if the vulnerable server supports response policy zones (RPZs)."
"ISC says the DoS has not yet been used for actual attacks, but the firm is keeping an eye on a number of DNSSEC validators that have sent answers to the BIND server which unintentionally caused crashes," the article states.
Go to "Update for BIND server patches DoS hole" to read the details.

Source:, Retrieved on May 9th, 2011