What is an Empty Non-Terminal?
Information in the Domain Name System is arranged in a tree-like graph. Nodes in this graph can be terminal or non-terminal.
- A terminal node is a node like a leaf at the edge of the tree; no other nodes exist beyond it (hence "terminal").
- A non-terminal node is any node that exists in the graph between other nodes.
So that's "terminal" vs. "non-terminal." But what does it mean for a non-terminal node to be an "empty non-terminal"?
Although many DNS operators never take advantage of this, preferring to create a delegation or zone cut at each level, DNS does not require that every non-terminal segment of a domain name be in a separate zone. That is to say, if you have been delegated authority for a domain, e.g."example.com", and you want to create a record within that domain called "foo.bar.example.com", you can do that in more than one way.
One common practice would be to choose to create a delegation within "example.com" to a new subdomain, "bar.example.com", and within that subdomain you could create a record "foo" as desired.
But DNS does not require you to do that. If all you want is "foo.bar.example.com" and you have no intention to create other records in "bar.example.com", you can define "foo.bar.example.com" within the zone data for the "example.com" zone and that will work just fine. In this case "bar" is a non-terminal node in the DNS graph and, if there are no records created at the "bar" level, it is considered an "empty" non-terminal.
An example of a record which could be used to trigger the vulnerability would be something like: "foo.*.example.com." ISC recommends avoiding the use of wildcards in these types of record because they do not match as operators generally expect them to. However, if you must use such a record for some reason you should at least take care to upgrade to a version of BIND that is not affected by CVE-2020-8619.