[dns-operations] BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

SM sm at resistor.net
Fri May 27 07:26:54 UTC 2011

At 22:35 26-05-2011, Larissa Shapiro wrote:
>*Summary:* A BIND 9 DNS server set up to be a caching resolver is
>vulnerable to a user querying a domain with very large resource record
>sets (RRSets) when trying to negatively cache a response. This can
>cause the BIND 9 DNS server (named process) to crash.


>The nature of this vulnerability would allow remote exploit. An
>attacker can set up an DNSSEC signed authoritative DNS server with a
>large RRSIG RRsets to act as the trigger. The attacker would then find
>ways to query an organization?s caching resolvers, using the negative
>caches and the ?trigger? the vulnerability. The attacker would require
>access to an organization?s caching resolvers. Access to the resolvers
>can be direct (open resolvers), through malware (using a BOTNET to
>query negative caches), or through driving DNS resolution (a SPAM run
>that has a domain in the E-mail that will cause the client to do look
>up a negative cache).

http://test.federalreserve.gov also triggered the bug.

>*Workarounds:* Restricting access to the DNS caching resolver
>infrastructure will provide partial mitigation. Active exploitation
>can be accomplished through malware or SPAM/Malvertizing actions that
>will force authorized clients to look up domains that would trigger
>this vulnerability.

As it is be possible to trigger this bug through the "web", it would 
be advisable to upgrade before people roll out the denial of service.


More information about the dns-operations mailing list