2016-03-10 - News - Tony Finch
Last night the ISC announced another security release of BIND to fix three vulnerabilities. For details see https://lists.isc.org/pipermail/bind-announce/2016-March/thread.html
Probably the most risky is CVE-2016-1286 which is a remote denial-of-service vulnerability in all versions of BIND without a workaround. CVE-2016-1285 can be mitigated, and probably is already mitigated on servers with a suitably paranoid configuration. CVE-2016-2088 is unlikely to be a problem.
I have updated the central DNS servers to BIND 9.10.3-P4.
I have also made a change to the DNS servers' name compression behaviour.
Traditionally, BIND used to compress domain names in responses so they
match the case of the query name. Since BIND 9.10 it has tried to preserve
the case of responses from servers, which can lead to case mismatches
between queries and answers. This exposed a case-sensitivity bug in
Nagios, so after the upgrade it falsely claimed that our resolvers were
not working properly! I have added a no-case-compress clause to the
configuration so our resolvers now behave in the traditional manner.