The ISC is still investigating the problem, which is known to affect all currently supported versions of BIND. The ISC, which maintains the popular DNS software, stated that a number of organizations have reported crashes interrupting service on BIND 9 nameservers performing recursive queries.
According to the ISC, an as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record. Subsequent queries for the record would crash the resolvers with an assertion failure. The situation could potentially be exploited by an attacker to cause a denial-of-service (DoS).
“Affected servers crashed after logging an error in query.c with the following message: “INSIST(! dns_rdataset_isassociated(sigrdataset))” Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9,” according to the ISC advisory.
“ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached,” the advisory continues. “At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.”
Organizations are advised to upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1 or 9.4-ESV-R5-P1.