Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2011-1907: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
Author: Michael McNally Reference Number: AA-00460 Views: 4163 Created: 2011-09-09 23:25 Last Updated: 2012-06-08 11:22 0 Rating/ Voters

RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.

Document Version:          
1.1
Posting date: 
05 May 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0
Severity: 
High
Exploitable: 
remotely

Description: 

This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.

Workarounds: 

Install 9.8.0-P1 or higher.

Active exploits: 
None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure.
Solution: 

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.


Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-1907

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support


For more information about DNS RPZ, please check the following:



© 2001-2015 Internet Systems Consortium

Please help us to improve the content of our knowledge base by letting us know below how we can improve this article.

If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback.

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu