FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

bind9 -- Denial of Service in named(8)

Affected packages
6.1 <= FreeBSD < 6.1_6
6.0 <= FreeBSD < 6.0_11
5.5 <= FreeBSD < 5.5_4
5.4 <= FreeBSD < 5.4_18
5.0 <= FreeBSD < 5.3_33
9.0 <= bind9 < 9.3.2.1

Details

VuXML ID ef3306fc-8f9b-11db-ab33-000e0c2e438a
Discovery 2006-09-06
Entry 2006-12-19
Modified 2016-08-09

Problem Description

For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.

For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.

Impact

An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.

An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.

Workaround

A possible workaround is to only allow trusted clients to perform recursive queries.

References

CVE Name CVE-2006-4095
CVE Name CVE-2006-4096
FreeBSD Advisory SA-06:20.bind