Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   BIND Vendors:   ISC (Internet Software Consortium)
BIND RPZ Processing Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1025503
SecurityTracker URL:
CVE Reference:   CVE-2011-1907   (Links to External Site)
Date:  May 6 2011
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.8.0
Description:   A vulnerability was reported in BIND. A remote user can cause denial of service conditions.

A remote user can send specially crafted queries of type RRSIG to cause the target service to crash.

Name servers using a response policy zone (RPZ) configured for RRset replacement are affected.

Mitsuru Shimamura at Internet Initiative Japan reported this vulnerability.

Impact:   A remote user can cause the target service to crash.
Solution:   The vendor has issued a fix (9.8.0-P1).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Security Advisory: DNS BIND Security Advisory: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

Hash: SHA256

Note: is the authoritative source
for this Security Advisory. Please check the source for any updates.

Summary: When a name server is configured with a response policy zone
(RPZ), queries for type RRSIG can trigger a server crash.

CVE: CVE-2011-1907
Posting date: 05 May 2011
Program Impacted: BIND
Versions affected: 9.8.0
Severity: High
Exploitable: remotely

Description: This advisory only affects BIND users who are using the
RPZ feature configured for RRset replacement. BIND 9.8.0 introduced
Response Policy Zones (RPZ), a mechanism for modifying DNS responses
returned by a recursive server according to a set of rules which are
either defined locally or imported from a reputation provider. In
typical configurations, RPZ is used to force NXDOMAIN responses for
untrusted names. It can also be used for RRset replacement, i.e.,
returning a positive answer defined by the response policy. When RPZ
is being used, a query of type RRSIG for a name configured for RRset
replacement will trigger an assertion failure and cause the name
server process to exit.

Workarounds: Install 9.8.0-P1 or higher.

Active exploits: None. However, some DNSSEC validators are known to
send type=RRSIG queries, innocently triggering the failure.

Solution: Use RPZ only for forcing NXDOMAIN responses and not for
RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:

Thank you to Mitsuru Shimamura at Internet Initiative Japan for
finding this defect.

For more information on support and other services for ISC's software
products, please visit

For more information about DNS RPZ, please check security advisory @

Questions about this Security Advisory should be sent to the ISC
Security Officer <>.



Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC