Navigation Bar Top Applications Support Documentation Vendors Search Index Top Top

bind9 -- Denial of Service in named(8)


Problem Description

For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.

For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.


An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.

An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.


A possible workaround is to only allow trusted clients to perform recursive queries.



portaudit: bind9 -- Denial of Service in named(8)

Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.

If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Officer. Refer to "FreeBSD Security Information" for more information.

Oliver Eikemeier <>