Bug puts net's most popular DNS app in Bind
Rare but remote
Makers of Bind have warned of a security vulnerability in versions of the domain name resolution application that could allow attackers to trick servers into returning unauthorized results.
The bug in the Berkeley Internet Name Domain program surfaces only when the DNSSEC security implementation is enabled and the name server accepts queries from the internet at large, a designation known as recursive. The combination of name servers being both recursive and using DNSSEC to validate records is rare, according to this advisory from the Internet Systems Consortium, which maintains Bind.
But DNS servers that are so configured may at risk of attacks that can be remotely launched. "A nameserver with DNSSEC validation enabled may incorrectly add records to its cache from the additional section of responses received during resolution of a recursive client query," ISC representatives wrote.
Bind is the internet's most widely used domain name system software. It is used to translate domain names into numeric IP addresses. DNSSEC is designed to cryptographically authenticate servers that provide DNS look-up information to ensure it is authentic.
Administrators are advised to upgrade Bind to version 9.4.3-P4, 9.5.2-P1, or 9.6.1-P2. There are no fixes for versions 9.0 through 9.3, which are being phased out. Those not able to immediately patch can restrict recursion. ®
"and the name server accepts queries from the internet at large, a designation known as recursive"
A DNS server is not recursive if it accepts queries from the internet.
It's recursive if it tries to resolve queries for domains it's not authoratative for, by passing those queries on to the actual authoratative servers (those listed in the NS records for the domain) and then passes the reply back to the client.
So if your DNS server is the NS server for "theregister.co.uk", then it will resolve things like www.theregister.co.uk to an IP, if queried.
If it's recursive, and you ask it for the IP of www.google.com, your DNS server will query googles DNS servers, and return the IP it gets back to you. If it's not recursive and you ask for www.google.com, it will respond that it has no record of that name.
It's got nothing to do with accepting queries from the internet, a DNS server on a LAN can be recursive or not, depending on what you need to achieve.
"Rare but remote" ???
Bind has suffered heaps of exploits of various sorts over the years. I'm with DJB, it's a pile of steaming poo, even if he is an opinionated old git.
I'd agree with DJB more if he didn't have to rewrite syslog to implement a good dns server.