- patch to add another missing stdint.h inclusion for uintptr_t
- enable regression tests (these set temporary aliases on lo0;
should be safe, but I've set TEST_INTERACTIVE to avoid any unintended
consequences on bulk test runs).
a crafted query against an NSEC3-signed zone, causing the server to exit.
Affects authoritative nameservers serving at least one NSEC3-signed zone.
Does not affect recursive-only servers, or auth servers which do not serve
NSEC3-signed zones.
query that includes malformed rdata can cause named to terminate with an
assertion failure while rejecting the malformed query. Authoritative and
recursive servers are equally vulnerable. Intentional exploitation of
this condition can cause a denial of service in all nameservers running
affected versions of BIND 9. Access Control Lists do not provide any
protection from malicious clients.
per CPU. As found by Marc Peters, this doesn't work too well on a t5120
with 64 threads, so change the default settings in the rc.d script to -U 4
to cap this to 4, or the number of CPUs if less.
As usual with rc.d scripts, if you need to override flags, set
isc_named_flags="..." in rc.conf.local.
"A critical defect in BIND 9 allows an attacker to cause excessive memory
consumption in named or other programs linked to libdns.
The problem is encountered when a program compiled to link to libdns
receives a maliciously-constructed regular expression via any of several
delivery methods."
https://kb.isc.org/article/AA-0087
A specific query can cause BIND nameservers using DNS64 to exit
with a REQUIRE assertion failure.
BIND nameservers that are not using DNS64 are not at risk.
https://kb.isc.org/article/AA-00828 CVE-2012-5688
If specific combinations of RDATA are loaded into a nameserver, either
via cache or an authoritative zone, a subsequent query for a related
record will cause named to lock up.
See https://kb.isc.org/article/AA-00801 for more details.
https://kb.isc.org/article/AA-00778
If a record with RDATA in excess of 65535 bytes is loaded into a
nameserver, a subsequent query for that record will cause named to exit
with an assertion failure.
This vulnerability can be exploited remotely against recursive servers
by inducing them to query for records provided by an authoritative
server. It affects authoritative servers if a zone containing this type
of resource record is loaded from file or provided via zone transfer.
version of BIND than is in the base OS (some people require features
from this version e.g. DNS64), but note that it does not include
the hardening changes made to the version in base.
feedback from naddy@ giovanni@, ok giovanni@.
"BIND is open source software that implements the Domain Name System
(DNS) protocols for the Internet. It is a reference implementation
of those protocols, but it is also production-grade software,
suitable for use in high-volume and high-reliability applications."
