Version 8.2.2 of BIND (current circa November 1999) contained a buffer overflow in the routine that converts records from network format to database format.
Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions did not. Specifically, in the file ns_resp.c, there is a routine called 'rrextract'. (rr = "resource record"). rrextract contains a large switch block that converts resource records from the network format to the database format, doing different things depending on the type of record received. For case T_SIG, it decodes the signature records. When it gets to the name of the signing domain, there is the following block of code:
Intruders may be able to interrupt the normal operations of your nameserver.
Upgrade to BIND 8.2.2 patch level 5 or later.
Compaq Computer Corporation
Thanks to ISC for reporting this problem.