Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2011-1907: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
Author: Michael McNally Reference Number: AA-00460 Views: 2103 Created: 2011-09-09 23:25 Last Updated: 2012-06-08 11:22 0 Rating/ Voters

RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.

Document Version:          
1.1
Posting date: 
05 May 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0
Severity: 
High
Exploitable: 
remotely

Description: 

This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.

Workarounds: 

Install 9.8.0-P1 or higher.

Active exploits: 
None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure.
Solution: 

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.


Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-1907

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support


For more information about DNS RPZ, please check the following:


© 2001-2014 Internet Systems Consortium

Feedback
  • Please help us to improve the content of our knowledge base by letting us know how we can improve this article or by submitting suggestions for other articles you'd like to see created. Information on how to obtain further help on our products or services can be found on our main website.' If you have a technical question or problem on which you'd like help, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.
Info Submit Feedback on this Article
Nickname: Your Email: Subject: Comment:
Enter the code below:
Quick Jump Menu