Re: DoS vulnerability in the BIND resolver (and potentially others)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/13/2013 03:26 AM, Florian Weimer wrote:
> Scott Brynen described a behavioral change in some of the UltraDNS 
> authorative name servers:
>
> <https://lists.dns-oarc.net/pipermail/dns-operations/2013-January/009501.html>
>
>  Mark Andrews of ISC confirmed that this triggers a denial of
> service condition in the BIND recursive resolver:
>
> <https://lists.dns-oarc.net/pipermail/dns-operations/2013-January/009506.html>
>
>  I think he is right, but this obviously has to be fixed in the 
> resolver.  Can this be assigned a CVE?

Uhmm I'm going to defer to Steven on this one:

1) is this a security issue? I'm not totally convinced it is. It's
definitely broken behaviour.
2) Does this get a single CVE or one per broken client software?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ8w8YAAoJEBYNRVNeJnmTbZ8P/2rnuErOKNHgQCm93O5vdZze
eVJK2uP0W4bJrcD+ak6QcWD1i9i0JnEDTkTp/s00PJYy2dwg3UJMPl/5FM363Z/y
7DWeLql7ekZu+4MTqIB91ZN9FyP7MeT1Jer3ogBfUhx71mC8L8k6A9jBoIfjrXdx
wl7qKm3UkrEvaL346TqeiT3f9Xk+ZB5eCXIgWyIWLDlDvD0BVWYAzUjnr+yFXgvq
DxRPJKceNvrIuLCBYWrmCM9lWIsvZdvLRVQSje4XDmUAn31Ca44EYIRvq0+6l4Ub
lc1LzHlzLLQVfVJH6JFUjooRxWXX8gSAbQiaCfEb6OqRlkXg4WH2ItT/QqCYrqSv
JDBQXe+wLCtoU4fG9ygOZ4Oh+DsYzDMe9KjtQHY/rrtxeYFNZvoP6CPjzpUdT/BO
GmeADjKkZhP3xODLGivjnri9A+am+Fo/i5wAf981fW1pScTGRLS9tIOLEuVVE/cH
UfODsIPCiClK4h9z8guxTroiuj1LO4XEyeoPSeU+JuUJ83+R2r+OCgCmcMr0JCbI
lxe5WfAWxZYTbG6jeZnaHa4EHKHCWCRqd4V5FdVLYqmjM3Y2PcZ3gOZ5YDcg2fdM
7wrKbGfZxVU6Bvi8lfiqusKctBG3fB0RUFh+NBQZ5t4TtVlqgg8r1FZt+7pYOI/Q
M6Dqi9Iyck3Crdf/EZPU
=JWSN
-----END PGP SIGNATURE-----