BIND CVE-2016-1286 etc.

2016-03-10 - News - Tony Finch

Last night the ISC announced another security release of BIND to fix three vulnerabilities. For details see

Probably the most risky is CVE-2016-1286 which is a remote denial-of-service vulnerability in all versions of BIND without a workaround. CVE-2016-1285 can be mitigated, and probably is already mitigated on servers with a suitably paranoid configuration. CVE-2016-2088 is unlikely to be a problem.

I have updated the central DNS servers to BIND 9.10.3-P4.

I have also made a change to the DNS servers' name compression behaviour. Traditionally, BIND used to compress domain names in responses so they match the case of the query name. Since BIND 9.10 it has tried to preserve the case of responses from servers, which can lead to case mismatches between queries and answers. This exposed a case-sensitivity bug in Nagios, so after the upgrade it falsely claimed that our resolvers were not working properly! I have added a no-case-compress clause to the configuration so our resolvers now behave in the traditional manner.