Vulnerability Note VU#837744

ISC BIND named validator vulnerability

Original Release date: 01 Dec 2010 | Last revised: 01 Dec 2010


ISC BIND named contains a vulnerability where under certain situations it could incorrectly mark zone data as insecure.


According to ISC:

named, acting as a DNSSEC validator, was determining if an NS RRset is insecure based on a value that could mean either that the RRset is actually insecure or that there wasn't a matching key for the RRSIG in the DNSKEY RRset when resuming from validating the DNSKEY RRset.
This can happen when in the middle of a DNSKEY algorithm rollover, when two different algorithms were used to sign a zone but only the new set of keys are in the zone DNSKEY RRset.


Answers are marked incorrectly as insecure.


Apply an update

Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the vendor information portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC BIND versions 9.4-ESV-R4, 9.6.2-P3 or 9.6-ESV-R3, and 9.7.2-P3. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.

See also

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Internet Systems ConsortiumAffected-01 Dec 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Internet Systems Consortium for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2010-3614
  • Date Public: 01 Dec 2010
  • Date First Published: 01 Dec 2010
  • Date Last Updated: 01 Dec 2010
  • Severity Metric: 7.65
  • Document Revision: 17


If you have feedback, comments, or additional information about this vulnerability, please send us email.