Skip to Content.
Sympa Menu

discuss - [opennic-discuss] Security Advisory: DNS BIND Security Advisory: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] Security Advisory: DNS BIND Security Advisory: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones


Chronological Thread 
    < Chronological >      < Thread >
  • From: Julian DeMarchi <julian AT jdcomputers.com.au>
  • To: OpenNIC discussion <discuss AT lists.opennicproject.org>
  • Subject: [opennic-discuss] Security Advisory: DNS BIND Security Advisory: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
  • Date: Fri, 06 May 2011 11:43:23 +1000
  • List-archive: <http://lists.darkdna.net/pipermail/discuss>
  • List-id: <discuss.lists.opennicproject.org>
Note: https://www.isc.org/CVE-2011-1907 is the authoritative source
for this Security Advisory. Please check the source for any updates.

Summary: When a name server is configured with a response policy zone
(RPZ), queries for type RRSIG can trigger a server crash.

CVE: CVE-2011-1907
Posting date: 05 May 2011
Program Impacted: BIND
Versions affected: 9.8.0
Severity: High
Exploitable: remotely

Description: This advisory only affects BIND users who are using the
RPZ feature configured for RRset replacement. BIND 9.8.0 introduced
Response Policy Zones (RPZ), a mechanism for modifying DNS responses
returned by a recursive server according to a set of rules which are
either defined locally or imported from a reputation provider. In
typical configurations, RPZ is used to force NXDOMAIN responses for
untrusted names. It can also be used for RRset replacement, i.e.,
returning a positive answer defined by the response policy. When RPZ
is being used, a query of type RRSIG for a name configured for RRset
replacement will trigger an assertion failure and cause the name
server process to exit.

Workarounds: Install 9.8.0-P1 or higher.

Active exploits: None. However, some DNSSEC validators are known to
send type=RRSIG queries, innocently triggering the failure.

Solution: Use RPZ only for forcing NXDOMAIN responses and not for
RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5
(AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Thank you to Mitsuru Shimamura at Internet Initiative Japan for
finding this defect.

For more information on support and other services for ISC's software
products, please visit
https://www.isc.org/community/blog/201102/BIND-support

For more information about DNS RPZ, please check security advisory @
https://www.isc.org/CVE-2011-1907

Questions about this Security Advisory should be sent to the ISC
Security Officer <security-officer AT isc.org>.


  • [opennic-discuss] Security Advisory: DNS BIND Security Advisory: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones, Julian DeMarchi, 05/05/2011

Archive powered by MHonArc 2.6.19.

Top of Page