Vulnerability Note VU#418861

BIND DNS Nameserver, DNSSEC validation Vulnerability

Original Release date: 01 Dec 2009 | Last revised: 19 Jan 2010


A vulnerability exists in the way BIND 9 handles recursive client queries that may cause additional records to be added to its cache.


BIND 9 contains a vulnerability in the way recursive client queries are handled. According to ISC:

A nameserver with DNSSEC validation enabled may incorrectly add unauthenticated records to its cache that are received during the resolution of a recursive client query with checking disabled (CD), or when the nameserver internally triggers a query for missing records for recursive name resolution. Cached records can be returned in response to subsequent client queries with or without requesting DNSSEC records (DO). In addition, some of them can be returned to queries with or without checking disabled (CD).

This issue affects BIND versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 -> 9.4.3-P3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.6.1-P1.


An attacker may be able to manipulate cache data and perform DNS Cache Poisoning.


BIND should be upgraded to version 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.

Disable DNSSEC Validation
According to ISC:
Disabling DNSSEC validation will also prevent incorrect caching of additional records due to this defect. However, this removes DNSSEC validation protection and the ability of the nameserver to deliver authenticated data in query responses.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Internet Systems ConsortiumAffected02 Dec 200902 Dec 2009
Alcatel-LucentUnknown02 Dec 200902 Dec 2009
Apple Inc.Unknown02 Dec 200902 Dec 2009
BlueCat Networks, Inc.Unknown02 Dec 200902 Dec 2009
Check Point Software TechnologiesUnknown02 Dec 200902 Dec 2009
Conectiva Inc.Unknown02 Dec 200902 Dec 2009
Cray Inc.Unknown02 Dec 200902 Dec 2009
Debian GNU/LinuxUnknown02 Dec 200902 Dec 2009
DragonFly BSD ProjectUnknown02 Dec 200902 Dec 2009
EMC CorporationUnknown02 Dec 200902 Dec 2009
Engarde Secure LinuxUnknown02 Dec 200902 Dec 2009
EricssonUnknown02 Dec 200902 Dec 2009
F5 Networks, Inc.Unknown02 Dec 200902 Dec 2009
Fedora ProjectUnknown02 Dec 200902 Dec 2009
FreeBSD ProjectUnknown02 Dec 200902 Dec 2009
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



ISC credits Michael Sinatra, UC Berkeley with finding this issue.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2009-4022
  • Date Public: 19 Nov 2009
  • Date First Published: 01 Dec 2009
  • Date Last Updated: 19 Jan 2010
  • Document Revision: 14


If you have feedback, comments, or additional information about this vulnerability, please send us email.