Source: bind9 Version: 1:9.10.3.dfsg.P4-11 Severity: grave bind9 uses /dev/random unconditionally without the possibility to change that in the configuration. It uses it for example in dnssec-keygen or during dnssec key operations in named. /dev/random can and will block at random times. If this happens in named, the whole daemon will cease to answer any requests. In my tests this always happens with ECDSA key operations, which needs randomness. This is effectively a DoS.
Bastian -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
