[dns-operations] BIND Security Advisory May 2011: Large RRSIG RRsets and Negative Caching can crash named

[SM]

At 22:35 26-05-2011, Larissa Shapiro wrote:
>*Summary:* A BIND 9 DNS server set up to be a caching resolver is
>vulnerable to a user querying a domain with very large resource record
>sets (RRSets) when trying to negatively cache a response. This can
>cause the BIND 9 DNS server (named process) to crash.

[snip]

>The nature of this vulnerability would allow remote exploit. An
>attacker can set up an DNSSEC signed authoritative DNS server with a
>large RRSIG RRsets to act as the trigger. The attacker would then find
>ways to query an organization?s caching resolvers, using the negative
>caches and the ?trigger? the vulnerability. The attacker would require
>access to an organization?s caching resolvers. Access to the resolvers
>can be direct (open resolvers), through malware (using a BOTNET to
>query negative caches), or through driving DNS resolution (a SPAM run
>that has a domain in the E-mail that will cause the client to do look
>up a negative cache).

http://test.federalreserve.gov also triggered the bug.

>*Workarounds:* Restricting access to the DNS caching resolver
>infrastructure will provide partial mitigation. Active exploitation
>can be accomplished through malware or SPAM/Malvertizing actions that
>will force authorized clients to look up domains that would trigger
>this vulnerability.

As it is be possible to trigger this bug through the "web", it would 
be advisable to upgrade before people roll out the denial of service.

Regards,
-sm