2019-10-17 - News - Tony Finch
Last night ISC.org published security releases of BIND.
For full details, please see the announcement messages: https://lists.isc.org/pipermail/bind-announce/2019-October/thread.html
The vulnerabilities affect two features that are new in BIND 9.14, mirror zones and QNAME minimization, and we are not affected because we are not using either feature.
QNAME minimization
"Query name minimization" is a DNS privacy enhancement that changes the resolver algorithm to avoid leaking details of queries to the root and top-level domain name servers.
As noted when we upgraded to BIND 9.14, we have disabled QNAME minimization to avoid interoperability problems with the current algorithm.
Our resolvers don't do any query forwarding either, so we avoid this vulnerability twice over.
Mirror zones
The aim of this feature is to allow a resolver to host its own "hyperlocal" copy of the DNS root zone. This can speed up queries that are not in the resolver's cache. Unlike previous ways of configuring a hyperlocal root zone, mirror zones do proper DNSSEC validation of the zone contents to ensure they are not tampered with.
There is another recent feature, negative answer synthesis, which uses the results of DNSSEC validation to generate negative answers from the contents of the resolver's cache, without having to query authoritative servers.
These two features have substantially the same effect, of reducing the amount that resolvers need to make long-distance queries to find out that a mistyped domain name doesn't exist. But mirror zones are basically only useful for the root zone, and they require special configuration; whereas negative answer synthesis is useful for many other parts of the DNS, and needs no configuration.
So we don't use mirror zones, and we aren't at risk from this vulnerability.
(Geoff Huston wrote Expanding the DNS Root: Hyperlocal vs NSEC Caching which comes to the same conclusions.)