In association with heise online

06 May 2011, 12:32

Update for BIND server patches DoS hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Internet Systems Consortium

ISC has published Update 9.8.0-P1 for its BIND DNS server to close a potential denial of service (DoS) hole. Signed server replies (RRSIG) can cause a BIND server to crash under certain circumstances. ISC says that the vulnerability only occurs, however, if the vulnerable server supports response policy zones (RPZs).

RPZs define which domain names are not to be resolved; the definitions can, for instance, be taken from a reputation database. First implemented in BIND 9.8.0, RPZ is designed to combat the thousands of spam and malware domains registered daily.

ISC says the DoS has not yet been used for actual attacks, but the firm is keeping an eye on a number of DNSSEC validators that have sent answers to the BIND server which unintentionally caused crashes.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit