CVE-2012-3817 FAQ and Supplemental Information

AA-00766

About This Document

For up to date information on this vulnerability, patches, and other operational information, please see the official vulnerability announcement. This article is intended to supplement the information in that announcement and will be updated as needed to further describe the operational impact of this vulnerability.

Am I vulnerable?
  • Only servers that perform DNSSEC validation are vulnerable.
  • This issue could either be encountered accidentally or deliberately engineered.
Why are BIND 9.4 and 9.5 listed as vulnerable?

This does affect BIND 9.4 and 9.5, but not all versions.  The change that introduced 'bad cache' was this was released in 9.4-ESV-R1.  It also went into some 9.5 versions (9.5.3b1 and 9.5.3rc1) that didn't get as far as general release before 9.5 was EOL:

2852.   [bug]   Handle broken DNSSEC trust chains better. [RT #15619]

Are earlier versions of BIND 9 vulnerable?

We have not tested (and do not intend to test) BIND 9.0 through 9.5 for this vulnerability since they are EOL (End of Life), vulnerable to other security weaknesses already, and their use is not recommended.  However our knowledge of the internals of these versions leads us to believe that none of them should be vulnerable to CVE-2012-3817.

Is the Response Rate Limiting code included in these new patched versions of BIND?

No - this code is currently experimental and unsupported.  Updated versions of the RRL code patches (applicable to the new versions of BIND released as a result of CVE-2012-3817 and CVE-2012-3868) are available from http://www.redbarn.org/dns/ratelimits.