bind-announce July 2010 archive
Main Archive Page > Month Archives  > bind-announce archives
bind-announce: BIND 9.7.1-P2 is now available.

BIND 9.7.1-P2 is now available.

From: Larissa Shapiro <larissas_at_nospam>
Date: Thu Jul 15 2010 - 19:30:33 GMT
To: bind-announce@isc.org

RRSIG query handling bug in BIND 9.7.1

CVE# TBA
VU# 211905
Posting date: July 14, 2010
Program Impacted: BIND
Versions affected: 9.7.1, 9.7.1-P1
Severity: High
Exploitable: remotely

Description:
If a query is made explicitly for a record of type
'RRSIG' to a validating recursive server running BIND 9.7.1 or
9.7.1-P1, and the server has one or more trust anchors configured
statically and/or via DLV, then if the answer is not already in cache,
the server enters a loop which repeatedly generates queries for RRSIGs
to the authoritative servers for the zone containing the queried
name. This rarely occurs in normal operation, since RRSIGs are already
included in responses to queries for the RR types they cover, when
DNSSEC is enabled and the records exist. However, the potential for
deliberate use of this bug must also be taken into account, which is
why ISC is preparing a patch for distribution as soon as possible.

Fix: BIND 9.7.1-P2 reverses a change that was introduced in BIND 9.7.1.
The change attempted to correct the behavior of a validating recursive
resolver when explicitly queried for records of type 'RRSIG'. These
queries do not occur in normal DNSSEC operation, because RRSIG records
are ordinarily returned along with the records they cover. However,
a type-RRSIG query can be used for manual testing purposes. As a
result of the change in 9.7.1, if the cache did not contain any
RRSIG records for the name, such a query would trigger an endless
loop of recursive queries to the authoritative server.

BIND 9.7.1-P2 backs out the change, restoring the behavior prior to
9.7.1, which was not entirely correct but not harmful. It will be
properly fixed in a future release.

Risk assessment: We do not believe this bug to pose a significant
operational risk. The versions of BIND affected are new, and
constitute only a small part of the deployed base of DNS software in the
world. Our continued internal review, and testing by an early
adopter, found this issue before it was more widely deployed in
production.

Workarounds:
None, administrators need to upgrade using the patch that will be
available by 12:00 noon Pacific Daylight Time, July 15 2010.

Active exploits: None known.

Solution:
Upgrade BIND to 9.7.1-P2. If using 9.7.0, remain on 9.7.0-P2.

Revision History: None

Acknowledgement: Thank you to Marco Davids of SIDN for testing and
finding the issue.

Please refer any questions you might have to
security-officer@isc.org, or bind9-bugs@isc.org
                BIND 9.7.1-P2 is now available.

        BIND 9.7.1-P2 is a SECURITY PATCH for BIND 9.7.1.

BIND 9.7.1-P2 reverses a change that was introduced in BIND 9.7.1.

The change attempted to correct the behavior of a validating recursive
resolver when explicitly queried for records of type 'RRSIG'. These
queries do not occur in normal DNSSEC operation, because RRSIG records
are ordinarily returned along with the records they cover. However,
a type-RRSIG query can be used for manual testing purposes. As a
result of the change in 9.7.1, if the cache did not contain any
RRSIG records for the name, such a query would trigger an endless
loop of recursive queries to the authoritative server.

BIND 9.7.1-P2 backs out the change, restoring the behavior prior to
9.7.1, which was not entirely correct but not harmful. It will be
properly fixed in a future release.

BIND 9.7.1-P2 can be downloaded from

         ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz

The PGP signature of the distribution is at

         ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz.asc
         ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz.sha256.asc
         ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at <https://www.isc.org/about/openpgp>.

A binary kit for Windows XP and Window 2003 is at

        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip
        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.zip.sha512.asc
        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip.asc
        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip.sha256.asc
        ftp://ftp.isc.org/isc/bind9/9.7.1-P2/BIND9.7.1-P2.debug.zip.sha512.asc

Changes since 9.7.1-P1:

        --- 9.7.1-P2 released ---

2931. [security] Temporarily and partially disable change 2864
                        because it would cause inifinite attempts of RRSIG
                        queries. This is an urgent care fix; we'll
                        revisit the issue and complete the fix later.
                        [RT #21710]

_______________________________________________
bind-announce mailing list
bind-announce@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce