BIND 9 Security Vulnerability Matrix
The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND.
It has two parts:
For example, if you use the top table to look up CVE-2012-1667, you will see that it cross references to #46. You can look for column #46 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.8.3 you would know to upgrade.
We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.
We do not recommend that you use any version not listed in one of these charts.
Vulnerability information for EOL (End of Life) versions of BIND 9 (including 9.7) and below are included.
Using obsolete versions of BIND
We recommend that you not use obsolete versions of any ISC software. It was updated for a reason. But there is one situation in which you really must not run older versions of BIND.
If a nameserver — any nameserver, whether BIND or other software — is configured to use "forwarders'', then none of its targets (the servers to which it forwards the requests) can be running BIND4 or BIND8. Upgrade all nameservers used as forwarders to a current version. There is a wide scale Kashpureff-style DNS cache corruption attack that depends on BIND4 and BIND8 being the targets of DNS forwarders. Both BIND 4 and BIND 8 have end-of-life status.
Listing of Vulnerabilities
Why don't the reference numbers begin at 1?
These matrices have been moved to our Knowledge Base from our website. Along the way we have extracted the security matrix information for BIND8; hence the numbering does not start with 1, and there are some gaps where some security reports related solely to BIND8. If you are still running BIND8 or earlier, we strongly recommend that you upgrade because there are security vulnerabilities inherent in BIND8 that could not be fixed until BIND9.
BIND 9.9 Subscription version
(Available via DNSco. If you'd like more information on our product support or about our Subscription versions of BIND, please visit http://www.dns-co.com/solutions/).