New DoS Vulnerability In All Versions of BIND 9

Icemaann writes "ISC is reporting that a new, remotely exploitable vulnerability has been found in all versions of BIND 9. A specially crafted dynamic update packet will make BIND die with an assertion error. There is an exploit in the wild and there are no access control workarounds. Red Hat claims that the exploit does not affect BIND servers that do not allow dynamic updates, but the ISC post refutes that. This is a high-priority vulnerability and DNS operators will want to upgrade BIND to the latest patch level."

Okay, I read the ISC alert.

[mmell]

They're right. This is a major exploit, especially in view of the fundamental nature of name services to the internet. With repeated application (or by combining with DDoS techniques) I could see holding an entire domain down for an extended period of time. Now, then . . .

Only a fool would configure public-facing DNS servers as masters, although I've seen it done. Only the king of the land of fools would put his domain's real DNS master on a public-facing network. Thus, only domains administered by fools should be directly affected. Darwin for teh win!