CVE-2012-3817 FAQ and Supplemental Information
About This Document
For up-to-date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability.
Am I vulnerable?
- Only servers that perform DNSSEC validation are vulnerable.
- This issue could either be encountered accidentally or deliberately engineered.
Why are BIND 9.4 and 9.5 listed as vulnerable?
This does affect BIND 9.4 and 9.5, but not all versions. The change that introduced 'bad cache' was released in 9.4-ESV-R1. It also went into some 9.5 versions (9.5.3b1 and 9.5.3rc1) that didn't get as far as general release before 9.5 was EOL:
2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]
Are earlier versions of BIND 9 vulnerable?
We have not tested (and do not intend to test) BIND 9.0 through 9.5 for this vulnerability since they are EOL (End of Life), vulnerable to other security weaknesses already, and their use is not recommended. However, our knowledge of the internals of these versions leads us to believe that none of them should be vulnerable to CVE-2012-3817.
Is the Response Rate Limiting code included in these new patched versions of BIND?
No - this code is currently experimental and unsupported. Updated versions of the RRL code patches (applicable to the new versions of BIND released as a result of CVE-2012-3817 and CVE-2012-3868) are available from http://www.redbarn.org/dns/ratelimits.