ISC Knowledgebase

Security Matrices for Obsolete BIND Branches

Sat, 30 May 2026 18:07:18 GMT

The vulnerability matrix for each obsolete branch of BIND is kept available for historical reference. For currently supported releases, see the BIND 9 Software Vulnerability Matrix instead. SECURITY WARNING Obsolete versions of BIND are all known to be vulnerable. ISC strongly recommends upgrading to a current version as soon as practical. The obsolete matrices will not be updated to reflect new vulnerabilities. You must assume you are vulnerable if you are running an obsolete version. For ...

A Note About BIND Release Notes

Wed, 27 May 2026 05:25:53 GMT

If you are looking for the release notes for the current versions of BIND, please visit the following URL, and then select the directory for the major branch you are running: https://downloads.isc.org/isc/bind9/cur/ In each release directory, you will find: File Name Description README.md A brief introduction to BIND RELEASE-NOTES-bind-*.html Release notes (the most significant changes) CHANGELOG-bind-*.html Detailed change log COPYRIGHT Copyright notices for BIND and included software LIC ...

Kea: Use unique databases

Wed, 20 May 2026 13:05:54 GMT

Summary When configuring Kea to use a database for storage of leases or host reservations, use a unique database for each Kea server. Within a single Kea high availability group (HA group), the database may be shared, subject to certain considerations. Guidance Use a unique database for every Kea server. A database can be made unique by creating a different database name on the same database server, or by using different database servers. For example, if you use a central database server, creat ...

BIND 9 Software Vulnerability Matrix

Wed, 20 May 2026 11:39:14 GMT

The BIND 9 Software Vulnerability Matrix (previously know as the "BIND 9 Security Vulnerability Matrix") is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts: The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its pag ...

CVE-2026-5950: Unbounded resend loop in BIND 9 resolver

Wed, 20 May 2026 11:16:24 GMT

CVE: CVE-2026-5950 Title: Unbounded resend loop in BIND 9 resolver Document version: 2.0 Posting date: 20 May 2026 Program impacted: BIND 9 Versions affected: BIND 9.18.36 -> 9.18.48 9.20.8 -> 9.20.22 9.21.7 -> 9.21.21 BIND Supported Preview Edition 9.18.36-S1 -> 9.18.48-S1 9.20.9-S1 -> 9.20.22-S1 Severity: Medium Exploitable: Remotely Description: An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated ...

CVE-2026-5947: SIG(0) validation during query flood may lead to undefined behavior

Wed, 20 May 2026 11:11:29 GMT

CVE: CVE-2026-5947 Title: SIG(0) validation during query flood may lead to undefined behavior Document version: 2.0 Posting date: 20 May 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.22 9.21.0 -> 9.21.21 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.22-S1 Versions NOT affected: BIND 9.18.28 -> 9.18.49 BIND Supported Preview Edition 9.18.28-S1 -> 9.18.49-S1 (Versions prior to 9.18.28 were not assessed.) Severity: High Exploitable: Remotely Description: Undefined ...

CVE-2026-5946: Invalid handling of CLASS != IN

Wed, 20 May 2026 11:06:54 GMT

CVE: CVE-2026-5946 Title: Invalid handling of CLASS != IN Document version: 2.0 Posting date: 20 May 2026 Program impacted: BIND 9 Versions affected: BIND 9.11.0 -> 9.16.50 9.18.0 -> 9.18.48 9.20.0 -> 9.20.22 9.21.0 -> 9.21.21 BIND Supported Preview Edition 9.11.3-S1 -> 9.16.50-S1 9.18.11-S1 -> 9.18.48-S1 9.20.9-S1 -> 9.20.22-S1 Severity: High Exploitable: Remotely Description: Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (I ...

CVE-2026-3592: Amplification vulnerabilities via self-pointed glue records

Wed, 20 May 2026 11:03:24 GMT

CVE: CVE-2026-3592 Title: Amplification vulnerabilities via self-pointed glue records Document version: 2.0 Posting date: 20 May 2026 Program impacted: BIND 9 Versions affected: BIND 9.11.0 -> 9.16.50 9.18.0 -> 9.18.48 9.20.0 -> 9.20.22 9.21.0 -> 9.21.21 BIND Supported Preview Edition 9.11.3-S1 -> 9.16.50-S1 9.18.11-S1 -> 9.18.48-S1 9.20.9-S1 -> 9.20.22-S1 Severity: Medium Exploitable: Remotely Description: BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. ...

CVE-2026-3593: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation

Wed, 20 May 2026 10:56:07 GMT

CVE: CVE-2026-3593 Title: Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation Document version: 2.0 Posting date: 20 May 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.22 9.21.0 -> 9.21.21 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.22-S1 Versions NOT affected: BIND 9.18.0 -> 9.18.48 BIND Supported Preview Edition 9.18.11-S1 -> 9.18.48-S1 (Versions prior to 9.18.0 and 9.18.11-S1 were not assessed.) Severity: High Exploitable: Remotely Desc ...

CVE-2026-3039: BIND 9 server memory exhaustion during GSS-API TKEY negotiation

Wed, 20 May 2026 10:48:38 GMT

CVE: CVE-2026-3039 Title: BIND 9 server memory exhaustion during GSS-API TKEY negotiation Document version: 2.0 Posting date: 20 May 2026 Program impacted: BIND 9 Versions affected: BIND 9.0.0 -> 9.16.50 9.18.0 -> 9.18.48 9.20.0 -> 9.20.22 9.21.0 -> 9.21.21 BIND Supported Preview Edition 9.9.3-S1 -> 9.16.50-S1 9.18.11-S1 -> 9.18.48-S1 9.20.9-S1 -> 9.20.22-S1 (Versions prior to 9.11.37 were not assessed.) Although we have not tested them individually, we believe that all EoL versions of BIND ...

Things to be aware of when upgrading to Kea 3.0.0

Thu, 14 May 2026 21:27:41 GMT

The release of the Kea 3.0 branch brings with it many changes users need to know about. Hooks libraries re-licensed and re-packaged Most Kea hook libraries have become open source and are freely available; the only exceptions are the Role-Based Access Control hook (RBAC) and the Configuration Backend hook (CB), which remain commercially licensed. The open source hook libraries will be available in the Kea source tarball and for package installation from the official ISC repositories on Cloudsmit ...

Stork Quickstart guide

Wed, 13 May 2026 11:45:16 GMT

Introduction Installing Stork can seem somewhat confusing at first. The purpose of this quickstart guide is to layout the installation process in steps grouped by package manager or OS. Choose your OS/package manager from the table of contents on the right hand side to jump directly to the section that will cover the installation on your system. Stork Agent Since the Stork Agent may need to be installed more than once on disparate systems (example: to monitor BIND and Kea installations which ...

A short introduction to Catalog Zones

Wed, 13 May 2026 08:12:49 GMT

Catalog Zones is a BIND feature allowing easy provisioning of zones to secondary servers. A "catalog zone" is a special DNS zone that contains a list of other zones to be served, along with their configuration parameters. The zones listed in a catalog zone are called "member zones". When a catalog zone is loaded or transferred to a secondary server that supports this functionality, the secondary server creates the member zones automatically. When the catalog zone is updated (for example, to a ...

General Best Practices for Servers

Tue, 12 May 2026 18:37:59 GMT

Introduction Operators should strive to implement general best practices for the servers hosting their critical infrastructure. Software is only as good as the platform it runs on. System administration is well beyond the scope and remit of ISC Support. However, we can offer a very few suggestions, based on the most common problems we see. Keep current Use an operating system which is still being maintained Keep current with security and stability updates (patches/fixes) ISC gets many report ...

Kea API and Control Sockets

Tue, 12 May 2026 15:39:44 GMT

Introduction This article introduces the Kea Application Programming Interface (API). It briefly discusses the architecture of how the Kea API is presented, through control sockets, the direct API, and the Kea Control Agent (KCA). Use of API commands is beyond the scope of this article. Consult the Kea ARM for information on API commands and their usage. Kea API Overview The Kea DHCP server consists of up to four daemons (service processes). These daemons communicate with each other, and with ...

ISC's Software Support Policy and Version Numbering

Mon, 11 May 2026 12:46:10 GMT

The purpose of this article is to help users determine how long a given ISC release is likely to be supported. This information is useful when deciding when to schedule a migration, or in some cases, to help determine which version to migrate to when updating. This is a rough guide, not a guarantee, and release dates are approximate. For the most current information on the status of any particular software version, please refer to the software status listed on the downloads page. BIND 9 (updated ...

Kea Database Connection Resilience

Fri, 08 May 2026 21:25:34 GMT

Introduction This document discusses database connectivity problems, parameters that can be adjusted to make Kea compensate for those problems, and some of the implications of doing so. Scenario Symptoms Often this discussion begins with error messages like this: DATABASE_MYSQL_FATAL_ERROR Unrecoverable MySQL error occurred: unable to execute for