CVE-2011-1907: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

AA-00460

RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.

Document Version:          
1.1
Posting date: 
05 May 2011
Program Impacted: 
BIND
Versions affected: 
9.8.0
Severity: 
High
Exploitable: 
remotely

Description: 

This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.

Workarounds: 

Install 9.8.0-P1 or higher.

Active exploits: 
None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure.
Solution: 

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.


Do you have Questions? Questions regarding this advisory should go to security-officer@isc.org.

This security advisory is a copy of the official document located on our website: https://www.isc.org/software/bind/advisories/cve-2011-1907

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to sales@isc.org. More information on ISC's support and other offerings are available at: http://www.isc.org/community/blog/201102/BIND-support


For more information about DNS RPZ, please check the following: