Security update for BIND name server
The Internet Systems Consortium (ISC), the company behind the open source DNS BIND, software, has released security updates to resolve a DNSSEC-related vulnerability that could lead to Denial-of-Service (DoS) attacks. According to the relevant advisory, the server's domain validation code contains a flaw that can cause an NXDomain to be regarded as validated although it isn't. With the usual protective measures (random transaction IDs and random source ports) in place, however, the cache is not said to be open to manipulation. However, the prevention of DoS attacks is apparently, compromised. No further details were given by ISC.
BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 up to and including 9.4.3-P4, 9.5.0 up to and including 9.5.2-P1, and 9.6.0 up to and including 9.6.1-P2 are affected. Updating to 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3 fixes the problem. Versions 9.0 to 9.3 are no longer supported. The BIND 9.7 beta is also affected, but the flaw will be fixed in a new version.
- BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses, security advisory from ISC.