Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   BIND Vendors:   ISC (Internet Software Consortium)
ISC BIND Response Policy Zones DNAME/CNAME Processing Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1025743
SecurityTracker URL:
CVE Reference:   CVE-2011-2465   (Links to External Site)
Date:  Jul 5 2011
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.1b1
Description:   A vulnerability was reported in ISC BIND. A remote user can cause denial of service conditions.

A remote user can send specially crafted data to cause the target 'named' service to exit.

Servers that have recursion enabled and that use Response Policy Zones (RPZ) where the RPZ zone contains a specific rule/action pattern are affected. RPZ zones containing DNAME records and certain kinds of CNAME records are affected.

Bryce Moore from TELUS Security Labs reported this vulnerability.

Impact:   A remote user can cause the target DNS server to exit.
Solution:   The vendor has issued a fix (9.8.0-P4).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 27 2011 (NetBSD Issues Fix) ISC BIND Response Policy Zones DNAME/CNAME Processing Flaw Lets Remote Users Deny Service
NetBSD has issued a fix.

 Source Message Contents

Subject:  [Full-disclosure] Security Advisory: CVE-2011-2465 ISC BIND 9 Remote Crash with Certain RPZ Configurations

Hash: SHA512

ISC BIND 9 Remote Crash with Certain RPZ Configurations

Two defects were discovered in ISC's BIND 9 code. These defects only affect
BIND 9 servers which have recursion enabled and which use a specific
feature of the software known as Response Policy Zones (RPZ) and where the
RPZ zone contains a specific rule/action pattern.

CVE: CVE-2011-2465

Document Version:  2.0

Posting date: 05 Jul 2011

Program Impacted: BIND

Versions affected:  9.8.0, 9.8.0-P1, 9.8.0-P2 and 9.8.1b1 Other versions of
BIND 9 not listed here are not vulnerable to this problem.

Severity:  High

Exploitable:  Remotely


A defect in the affected versions of BIND could cause the "named" process
to exit when queried, if the server has recursion enabled and was
configured with an RPZ zone containing certain types of records.
Specifically, these are any DNAME record and certain kinds of CNAME

The patch release of BIND 9.8.0-P4 alters the behavior of RPZ zones by
ignoring any DNAME records in an RPZ zone, and correctly returning CNAME
records from RPZ zones.

Note that DNAME has no defined effect on the RPZ engine and its presence in
an RPZ zone is ignored. The definitive list of meaningful patterns in an
RPZ zone is given in the BIND 9 Administrative Reference Manual and also in
ISC Technical Note 2010-1.

CVSS Score: 7.8

CVSS Equation: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:


Do not put certain CNAME or any DNAME records into an RPZ zone file until
your software can be patched. If you subscribe to a service which supplies
your RPZ zone data, ensure that it does not contain any DNAME or certain
CNAME records. The CNAME records which must not be used are those which
signal the RPZ engine to rewrite query names. CNAME records which signal
the RPZ engine to forge an NXDOMAIN response are not affected by this

An example of an RPZ rule which causes a query name to be rewritten is:


An example of an RPZ rule which causes an NXDOMAIN response to be returned


Please refer to the BIND 9 Administrative Reference Manual or to ISC
Technical Note 2010-1 for more information about the Response Policy Zone
(RPZ) feature which was added to BIND 9 in Version 9.8.0.

Active exploits: 

ISC received reports of this software flaw and verified the report's


Upgrade to: 9.8.0-P4. (Note that 9.8.0-P3 is not affected but has been
replaced by 9.8.0-P4 due to CVE-2011-2464)

Download this version from the following location:

ISC releases of BIND 9 software may be downloaded from

If you do not obtain your BIND software directly from ISC, contact your
operating system or software vendor for an update.

If you are participating in ISC's Beta or release candidate (RC) program,
please upgrade. ISC Beta/RC testers are expected to remove vulnerable
versions and upgrade. No security advisories are issued for beta / release
candidates once the corresponding final release is made.

Acknowledgement: ISC thanks Bryce Moore from TELUS Security Labs for
finding and reporting this issue.

Document Revision History

Version 1.0 - 14 June 2011: Phase One Disclosure Date
Version 1.1 - 20 June 2011: Phase Two Disclosure Date with updates.
Version 1.2 - 21 June 2011: Updates on beta, RC, and clarity editing
Version 1.3 - 24 June 2011: Added document URL
Version 1.4 - 28 June 2011:  Updated Solution and description (revised to
recommend 9.8.0-P4 per CVE-2011-2464)
Version 1.5 - 4 July 2011:  Phase Three and Four Disclosure Date
Version 2.0 - 5 July 2011:  Public Disclosure


Do you have Questions? Questions regarding this advisory should go to

Do you need Software Support? Questions on ISC's Support services or other
offerings should be sent to More information on 

ISC's support and other offerings are available at:

ISC Security Vulnerability Disclosure Policy Details of our current
security advisory policy and practice can be found here:

Legal Disclaimer:: 

Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice and
none should be implied. ISC expressly excludes and disclaims any warranties
regarding this notice or materials referred to in this notice, including,
without limitation, any implied warranty of merchantability, fitness for a
particular purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this notice is
at your own risk. ISC may change this notice at any time.

A stand-alone copy or paraphrase of the text of this document that omits
the document URL is an uncontrolled copy. Uncontrolled copies may lack
important information, be out of date, or contain factual errors.



Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC