CVE-2011-1907: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones


RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.

Document Version:          
Posting date: 
05 May 2011
Program Impacted: 
Versions affected: 


This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.


Install 9.8.0-P1 or higher.

Active exploits: 
None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure.

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:

Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.

Do you have Questions? Questions regarding this advisory should go to

This security advisory is a copy of the official document located on our website:

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to More information on ISC's support and other offerings are available at:

For more information about DNS RPZ, please check the following: