Knowledge Base ISC Main Website Ask a Question/Contact ISC
Operational Notification - A Vulnerability in the SRTT Algorithm affects BIND 9 Authoritative Server Selection
Author: Jeffrey Wright Reference Number: AA-01030 Views: 12805 Created: 2013-08-12 16:29 Last Updated: 2013-08-13 19:45 0 Rating/ Voters


ISC has been made aware of a deficiency in the Smoothed Round Trip Time (SRTT) algorithm implemented in BIND 9 that can theoretically allow an attacker to artificially lower the SRTT value that a recursive resolver has associated with an authoritative server.

This could allow the attacker to influence the selection of a specific authoritative server from an NS resource record set with multiple values, determining which of multiple authoritative servers for a domain will be queried.

SRTT selection is not used by authoritative-only servers, but recursive-only or recursive-authoritative hybrid servers are vulnerable to being influenced in this manner.

Posting date: 13 August 2013

Program Impacted: BIND 9

Versions affected: All currently existing versions of BIND 9


The Smoothed Round Trip Time (SRTT) algorithm is used by BIND to determine which authoritative server should be queried for a domain which has multiple listed servers in its NS record RRset.

The current implementation of the SRTT algorithm may be remotely exploited, allowing an attacker to influence the SRTT values assigned to the servers in an NS RRset. As a result, an attacker can influence which server (out of multiple possible servers) will receive queries for a specific domain.

By itself, this defect is considered to be of limited use as an attack vector, but it has security implications, as it may be used as a potential force magnifier when used in conjunction with other exploits. For example, if a single server from a multiple-server authoritative RRset is compromised, this technique would allow an attacker to ensure that queries were made to the compromised server, instead of whichever server would ordinarily have the lowest SRTT value.

ISC plans to address this deficiency by reimplementing the SRTT algorithm in future maintenance releases of the BIND 9 code.


The deficiency in the SRTT algorithm is not considered an exploitable security vulnerability on its own.  However, we are announcing it in this operational notification because:

  • An academic paper is going to be presented to a security conference and we believe that explaining the context will help operators understand the implications for their DNS security.
  • The deficiency could hypothetically serve as a force multiplier for other attacks.

Future maintenance versions of BIND will reimplement the SRTT algorithm to address the deficiency, but for now the recommended strategy is to proceed with the awareness that the security of any service relying on DNS resolution for a specified domain is only as strong as the least secure server in the listed authoritative servers for that domain.

- Do you have Questions? Questions regarding this advisory should go to

- Additional information on our Operational Notifications is here:, and Phased Disclosure Process is here:

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be inferred. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use of, or reliance on, this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time.

© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback 1
  • #
    [Michael McNally]: May 2014 Article Raises Awareness of This Issue 2014-05-06 23:13

    A May 2014 article ( has prompted several users to contact us to ask about the current status of this issue. ISC disagrees with the article, which describes the SRTT issue as a critical DNS security flaw and compares it to the OpenSSL Heartbleed bug in severity.

    Our position remains unchanged at this time -- that the SRTT issue could be used to enhance the effectiveness of another attack but is not a significant threat by itself. ISC has plans to change the SRTT algorithm to prevent even this, but has not yet implemented those plans or committed to a timetable for doing so.

    Readers wanting more background on the issue to judge for themselves can find the original conference presentation here:

    If you believe you are aware of security implications related to this vulnerability that we have not considered, please share your thinking with us by e-mailing them to using the PGP public key available here:

    Thank you,

    Michael McNally
    ISC Support

Quick Jump Menu