Knowledge Base ISC Main Website Ask a Question/Contact ISC
CVE-2011-1907: RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones
Author: Michael McNally Reference Number: AA-00460 Views: 9999 Created: 2011-09-09 23:25 Last Updated: 2012-06-08 11:22 0 Rating/ Voters

RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones

When a name server is configured with a response policy zone (RPZ), queries for type RRSIG can trigger a server crash.

Document Version:          
Posting date: 
05 May 2011
Program Impacted: 
Versions affected: 


This advisory only affects BIND users who are using the RPZ feature configured for RRset replacement. BIND 9.8.0 introduced Response Policy Zones (RPZ), a mechanism for modifying DNS responses returned by a recursive server according to a set of rules which are either defined locally or imported from a reputation provider. In typical configurations, RPZ is used to force NXDOMAIN responses for untrusted names. It can also be used for RRset replacement, i.e., returning a positive answer defined by the response policy. When RPZ is being used, a query of type RRSIG for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit.


Install 9.8.0-P1 or higher.

Active exploits: 
None. However, some DNSSEC validators are known to send type=RRSIG queries, innocently triggering the failure.

Use RPZ only for forcing NXDOMAIN responses and not for RRset replacement.

CVSS Score: Base 6.1, adjusted for lack of targets, score is 1.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C/TD:L)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:

Thank you to Mitsuru Shimamura at Internet Initiative Japan for finding this defect.

Do you have Questions? Questions regarding this advisory should go to

This security advisory is a copy of the official document located on our website:

Do you need Software Support? Questions on ISC's Support services or other offerings should be sent to More information on ISC's support and other offerings are available at:

For more information about DNS RPZ, please check the following:

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu