New DNS bug and fix announced

Domain name registries are scrambling to patch a newly discovered bug in popular open source DNS software that could be exploited for denial-of-service attacks.

The bug and a corresponding fix were announced Monday by NLnet Labs, a research group that provides authoritative domain name server software called NSD to domain name registrars.

The bug allows for an attack on an NSD server that would cause it to stop responding to queries. The bug affects all versions of NSD 2.0.0 to 3.2.1, NLnet Labs said calling the bugfix "critical."

The bug is a "one-byte buffer overflow that allows a carefully crafted exploit to take down your name server," NLnet Labs said.

The NSD bug is not the result of a problem with the DNS protocol, nor does it have implications for the rollout of DNS security software known as DNSSEC.  That's why it's a minor incident compared to the Kaminsky bug discovered last summer.

"This bug is serious in so much that it allows an attacker to [make] name servers stop working, but the patch is readily available," says Dave Knight, Director of Resolution Services at Afilias, which operates the .info and .org domains. "We don't think there have been any attacks in the wild."

Knight said that now the bug is public knowledge, hackers can reverse engineer it to build an exploit.

"Patching should be a priority for everyone running NSD," Knight said.

Afilias runs several authoritative software packages, including NSD and BIND. Knight said Afilias was patching its NSD servers, which will be fixed by the end of the week.

"We also run BIND and other DNS software, so we are not necessarily vulnerable to an attack or threat on any one platform," said John Kane, vice president of Afilias. "Some registries only have one platform, which makes them more vulnerable and requires them to do an emergency patch. In our case, we can flip and run only BIND if we need to for awhile, and then we have the luxury of deploying the bug fix on NSD after it's been tested and passed Q/A."