This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.
Install 9.8.0-P1 or higher.
Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.
CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.
Do you have Questions? Questions regarding this advisory should go to email@example.com.
For more information about DNS RPZ, please check the following:
- Taking Back the DNS
- Blocking DNS
- Response Policy Zones for the (not just) Domain Name System (DNS RPZ)
- DNS Response Policy Zone (DNS RPZ) from March 2011 ISC Webinar