"A critical defect in BIND 9 allows an attacker to cause excessive memory
consumption in named or other programs linked to libdns.
The problem is encountered when a program compiled to link to libdns
receives a maliciously-constructed regular expression via any of several
delivery methods."
https://kb.isc.org/article/AA-0087
A specific query can cause BIND nameservers using DNS64 to exit
with a REQUIRE assertion failure.
BIND nameservers that are not using DNS64 are not at risk.
https://kb.isc.org/article/AA-00828 CVE-2012-5688
If specific combinations of RDATA are loaded into a nameserver, either
via cache or an authoritative zone, a subsequent query for a related
record will cause named to lock up.
See https://kb.isc.org/article/AA-00801 for more details.
https://kb.isc.org/article/AA-00778
If a record with RDATA in excess of 65535 bytes is loaded into a
nameserver, a subsequent query for that record will cause named to exit
with an assertion failure.
This vulnerability can be exploited remotely against recursive servers
by inducing them to query for records provided by an authoritative
server. It affects authoritative servers if a zone containing this type
of resource record is loaded from file or provided via zone transfer.
version of BIND than is in the base OS (some people require features
from this version e.g. DNS64), but note that it does not include
the hardening changes made to the version in base.
feedback from naddy@ giovanni@, ok giovanni@.
"BIND is open source software that implements the Domain Name System
(DNS) protocols for the Internet. It is a reference implementation
of those protocols, but it is also production-grade software,
suitable for use in high-volume and high-reliability applications."
