The Internet Systems Consortium released an advisory today informing BIND users that certain types of queries to name servers can cause the servers to crash and create a denial-of-service condition.
This remotely exploitable bug only affects BIND users with the Response Policy Zones (RPZ) feature configured for RRset replacement, and has a high severity rating.
The RPZ feature was initially built into 9.8.0 as a mechanism for modifying DNS responses from recursive servers according to local rules or those imported from a reputation provider. RPZ is generally used for forcing NXDOMAIN responses from untrusted names or RRset replacement. When RPZ is in use, queries from RRSIG for names configured for RRset replacements will trigger assertion failures and cause the name server process to exit.
There is no active exploit here, but certain DNSSEC validators are known to send RRSIG queries, which then trigger the failure. A work-around for this issue exists for anyone who is working with or installs version 9.8.0-P1 or higher. Another solution is to use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.
BIND is the most widely deployed DNS software on the Internet and is used by millions of organizations around the world.
Mitsuru Shimamura at Internet Initiative Japan is credited with having discovered this defect.