The Internet Systems Consortium [http://www.isc.org] has released an update for all supported BIND 9.x versions today (2009-Jan-07) containing a security patch to address a potential DNS poisoning vector. *NOTE* This patch release does not appear to be an emergency situation requiring immediate updates for all. The bug appears to affect only specific BIND configurations where DNSSEC has been enabled. Updates will be made if this is not the case.
If you or your organization is responsible for the operational management of any supported version of BIND 9.x and have explicitly enabled and utilize DNSSEC features, it may be time to consider planning your upgrade. Patch deployment would appear most critical among recursive name resolvers. The flaw affects all actively developed and supported versions prior to and resolved with today's release of BIND 9.3.6-P1, 9.4.3-P1, 9.5.0-P2(-W2), 9.5.1-P1 and 9.6.0-P1. No detail is available to support the identification of affected versions within vendor specific package management systems that use back ported versioning. In this latter case, check with your vendor.
From the BIND "RELEASE NOTES" relative to each specific supported version:
If you are not entirely certain whether your organization is running DNSSEC enabled configurations, especially among recursive resolver deployments which is where I understand would be the most logical target for most DNS cache poisoning attacks. <ashamed> I myself was not certain if my org was running DNSSEC. </ashamed>. I leaned heavily on my buddy Mark, whom I consult on just about every DNS related issue. It was he who helped me identify how others could remotely query for DNSSEC enablement among their BIND (recursive) server infrastructure.
How can I check my BIND deployments remotely?
The following validation steps make the assumption that you will use a recent version of the dig client for dnssec query support.
Refer to the ISC BIND Server software Index
Jan 8th 2009
1 decade ago