Thanks Michael! I guess 'ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached' is the part I'm interested in reading about and there are no details yet..
> http://www.isc.org/software/bind/advisories/cve-2011-4313 > On Nov 16, 2011 8:53 PM, "Larry W. Cashdollar" <b...@fbi.dhs.org> wrote: > >> Hello list, >> I am wondering if anyone has more details on the bind9 DoS that just >> came >> out? (CVE-2011-4313) from what I can tell it appears a negative cached >> DNS >> object with a valid RR response associated with it(which shouldn't >> exist) >> will cause a vulnerabile bind9 server to crash. >> >> See lines 1890 - 1896 of query.c >> 1890 if (result == DNS_R_NCACHENXRRSET) { >> 1891 dns_rdataset_disassociate(rdataset); >> 1892 /* >> 1893 * Negative cache entries don't have sigrdatasets. >> 1894 */ >> 1895 INSIST(! dns_rdataset_isassociated(sigrdataset)); >> 1896 } >> >> >> Since allowing recursive queries must be enabled for this to work the >> attacker must force a vulnerable dns server to query a malicous DNS >> server by asking it to look up an NXrecord for a domain the attacker >> controls dns for. Sending a response of NXdomain but having actual DNS >> results in the response. >> >> I am wondering if someone has seen a good write up out there? >> >> Thanks >> -- Larry C$ >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
