Update for BIND server patches DoS hole
ISC has published Update 9.8.0-P1 for its BIND DNS server to close a potential denial of service (DoS) hole. Signed server replies (RRSIG) can cause a BIND server to crash under certain circumstances. ISC says that the vulnerability only occurs, however, if the vulnerable server supports response policy zones (RPZs).
RPZs define which domain names are not to be resolved; the definitions can, for instance, be taken from a reputation database. First implemented in BIND 9.8.0, RPZ is designed to combat the thousands of spam and malware domains registered daily.
ISC says the DoS has not yet been used for actual attacks, but the firm is keeping an eye on a number of DNSSEC validators that have sent answers to the BIND server which unintentionally caused crashes.
(crve)