Knowledge Base ISC Main Website Ask a Question/Contact ISC
BIND 9 Security Vulnerability Matrix - 9.0 Branch
Author: ISC Support Reference Number: AA-01577 Views: 481 Created: 2016-02-28 15:36 Last Updated: 2018-02-28 18:03 0 Rating/ Voters
The BIND versions listed in this article are EOL

This BIND 9 Security Vulnerability Matrix is a record of vulnerabilities affecting the EOL BIND 9.0 branch during (or very shortly after) its lifetime.  It is known to be affected by some vulnerabilities discovered after the EOL date (July 2001) but they will not be listed here.

This article has two parts

  • The first part is a table listing all of the vulnerabilities covered by this page.  The first column is a reference number for use in the tables in the second part.  The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on  The third column is a short description of the vulnerability, linked (where possible) to our Knowledge Base article on the vulnerability.
  • The second part is a table listing all of the releases in this branch along the side and vulnerabilities along the top.  If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it.  If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

See the matrix for current branches for more information about how to interpret these tables.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

Using obsolete versions of BIND

We recommend that you not use obsolete versions of any ISC software. It was updated for a reason.

Listing of Vulnerabilities affecting BIND 9.0

# CVE Number Short Description
44 2011-2465 Remote crash with certain RPZ configurations
43 2011-2464 remote packet denial of service against authoritative and recursive servers
42 2011-1910 Large RRSIG RRsets and negative caching can crash named
41 2011-1907 RRSIG queries can trigger server crash when using Response Policy Zones
40 2011-0414 Server lockup upon IXFR or DDNS update combined with high query rate
39 2010-3613 cache incorrectly allows an ncache entry and an RRSIG for the same type
38 2010-3615 allow-query processed incorrectly
37 2010-3614 Key algorithm rollover bug in BIND 9
36 2010-3762 failure to handle bad signatures if multiple trust anchors configured
35 2010-0218 Unexpected ACL Behavior in BIND 9.7.2
34 2010-0213 RRSIG query handling bug in BIND 9.7.1
33 2010-0097 DNSSEC validation code could cause bogus NXDOMAIN responses
32 2009-4022 Cache Update From Additional Section
31 2009-0696 Dynamic Update DoS attack
30 2008-5077 DNSSEC issue with DSA and NSEC3DSA algorithms
2008-1447 DNS cache poisoning issue
2008-0122 inet_network() off-by-one buffer overflow
2007-2930 cryptographically weak query ids (BIND 8)
2007-2926 cryptographically weak query ids
2007-2925 allow-query-cache/allow-recursion default acls not set.
2007-2241 Sequence of queries can cause a recursive nameserver to exit.
2007-0494 Denial of service via ANY query response containing multiple RRsets.
13 2002-0400
DoS internal consistency check (DoS_findtype)

Why don't the reference numbers begin at 1?

In order to reduce confusion we preserve the reference number across all of our articles and tables.  In order to reduce clutter we have pared down the entries to only those listed in the table for this branch.

BIND 9.0

(EOL July 2001; Final matrix update 2011-09-09)

ver/CVE 13
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
9.0.1  + +     +   + + + + + +       +   +          
 + +         + + + + + +       +   +          


© 2001-2018 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

  • There is no feedback for this article
Quick Jump Menu