Vigil@nce: Bind, incorrect handling of DNSSEC DLV
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
The Bind DNS server handles unknown DNSSEC algorithms as signature
errors.
Gravity: 1/4
Consequences: denial of service of service
Provenance: internet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/03/2009
IMPACTED PRODUCTS
– ISC BIND
DESCRIPTION OF THE VULNERABILITY
The DNSSEC protocol is used to authenticate data of DNS zones. The
DLV (DNSSEC Lookaside Validation) extension is used for the
migration until all root zones are signed.
When DLV uses an unknown algorithm, such as NSEC3RSASHA1, Bind
handles the zone as invalid, instead of handling it as unsigned.
This disturbs the impacted zone.
Currently, no TLD uses DLV. However, the .gov will use it on May
1st of 2009. DNS servers which are not updated before this date
will thus be impacted by this problem.
CHARACTERISTICS
Identifiers: VIGILANCE-VUL-8549
http://vigilance.fr/vulnerability/Bind-incorrect-handling-of-DNSSEC-DLV-8549