The vulnerability exists in the way BIND 9 handles recursive client queries
that may cause additional records to be added to its cache.
From the ISC advisory:
While this security vulnerability is rated as “medium” risk, this is
because it is not currently a risk for many BIND users. For users who
have DNSSEC validation turned on, this bug is a SEVERE risk and
upgrading to the newly patched code is imperative.
This problem only affects nameservers that allow recursive queries and
are performing DNSSEC validation on behalf of their clients. It is
unlikely to be encountered by most DNSSEC-validating nameservers
because queries that might induce a nameserver to exhibit this behavior
would not normally be received with CD in combination with DO. We are
not aware of any (client) stub resolvers that do this; however, at
least one other DNS server implementation has been observed crafting
queries in this way when forwarding.
9 users should upgrade to one of the following: 9.4.3-P4, 9.5.2-P1 or
9.6.1-P2. There are no fixes available for BIND versions 9.0 through
9.3, as those
releases are at end-of-life, the ISC said.
More from US-CERT.