Is the most important DNS software vulnerable?

Confusion is rife about potential vulnerabilities in BIND, the most commonly used domain name server on the internet, and experts are calling on the makers of the software to clarify the issue.

Domain name servers are used to match domain names to numerical IP addresses, with the vast majority of these running BIND; the software essentially runs the internet.

The Internet Software Consortium (ISC), the group responsible for maintaining the software, released a new version of BIND on Monday, with their website billing it as a maintenance release.

"BIND 9.2.2 is the latest release of BIND 9. It is a maintenance release, containing fixes for a number of bugs in 9.2.0 but no new features," it said. However, on Wednesday the site had been updated, saying that ISC had been made aware of vulnerabilities in BIND, and saying that upgrading was "strongly recommended".

BIND 9.2.1, the previous version, is vulnerable to a remote buffer overflow bug when installed with the "libbind" non-default option. Previous versions may also be vulnerable to problems associated with the commonly used OpenSSL library, but again this is a non-default installation option and has more to do with the SSL library than BIND itself.

Johannes Ulrich, chief technology officer of the SANS Institute's Internet Storm Center, believes that ISC has not given the issue the attention it deserves. Ulrich said that the software consortium should "basically do a better PR job by notifying people to the urgency of the release".

"We still don't know enough about it," he added.

Melbourne-based security consultant Adam Pointon agreed, and said that ISC should release a detailed advisory on the issue simply to clarify the situation.

"I think they should because the vendors are going to be confused as well as the normal users... no normal users will know about this problem yet," he said.

Ulrich added that the libbind vulnerability may have in fact been indirectly known about for a while now. Confusion about which code was used in which version has lead to uncertainty in regard to which vulnerability effects which version of BIND. "In hindsight it was known since the beginning. That libbind thing is the last of the shared code between [versions] 8 and 9," he said.

Version 9 was more or less a complete rewrite of version 8, and is generally regarded as being a lot more secure.

Patrick Gray writes for ZDNet Australia.