For customers who are unable to migrate immediately to a patched version of BIND, there is now a mitigation strategy available. ISC continues to strongly recommend installing a patched version as the safest course of action, but if circumstances prevent you from doing so you can still reduce or eliminate your exposure to the CVE-2011-4313 vulnerability with a configuration option addition to named.conf.
DNS messages are divided into sections (Query, Answer, Authority, and Additional) containing different elements. ISC's analysis of the events of 16 November 2011 indicate that nameservers that were compromised crashed after caching information in the Additional section inappropriately.
If you are operating a recursing-only nameserver, configuring your server with this configuration option: 1
suppresses the inclusion of data in the Authority and Additional sections of a response when that data is not required by RFC, thereby avoiding the code path that contains the INSIST.
Note: we have also tested patching your forwarder if it's between your internal recursing server and your clients
In "mixed-mode" servers which perform both authoritative and recursing functions, "minimal-reponses yes;" reduces but does not eliminate your exposure. Your best options in this case are to deploy a patched version as soon as possible or to separate the recursing and authoritative functions of your nameservers.
Authoritative-only servers are not at risk from CVE-2011-4313.
1 The minimal-responses configuration option was introduced in BIND 9.2 and is not available in BIND 9.0 or 9.1. Please upgrade.