DNSSEC signature can crash Bind name servers

"Where a Bind name server is set up as a caching resolver, it is vulnerable to DoS attacks which could cause it to crash. ISC describes the issue in its advisory Large RRSIG RRsets and Negative Caching can crash named and categorises the problem, which can be triggered remotely, as 'high' severity.

The DNSSEC extension plays a key role in the latest security problem to hit the widely used name server. It appears that the internal memory manager can become confused when it has to cache signed entries for non-existent domains. ISC's Larissa Shapiro has confirmed to The H's associates at heise Security that servers which do not themselves offer DNSSEC functionality are also vulnerable.

According to ISC, to exploit the bug an attacker must be running a DNSSEC-signed authority server for a domain. He would then be able to induce DNS lookups for non-existent names on that domain (for example by sending out spam), which would trigger the bug on the vulnerable name server. Versions 9.4-ESV-R3, 9.6-ESV-R2, 9.6.3, 9.7.1, 9.8.0 and earlier are all affected. ISC has released updates which should fix the problem."

Source: Retrieved on May 27, 2011 from h-online.com/open/news/item/DNSSEC-signature-can-crash-Bind-name-servers-1251729.html

Share