BIND administrators, get patching: there are three irritating flaws you need to splat.

The denial-of-service vulnerabilities in question are CVE-2016-9131, CVE-2016-9147, and CVE-2016-9444.

Common to all three is that they're exploitable denial-of-service bugs that predominantly affect BIND-based DNS servers running in recursive mode (that is, if the DNS server doesn't have an answer locally, it passes the query upstream).

In CVE-2016-9131, if a BIND recursive server can be crashed by a malformed query response. The vulnerability note says the “combination of properties” that triggers the bug shouldn't occur in normal traffic, but an attacker could engineer a scenario that breaks the target.

In CVE-2016-9147, BIND can't handle query responses containing inconsistent DNSSEC information (DNSSEC is the standard that applies security to the domain name system): “an error in processing malformed query responses that contain DNSSEC-related RRsets that are inconsistent with other RRsets in the same query response can trigger an assertion failure.”

Finally, in CVE-2016-9444, an attacker could send a malformed answer containing a DS (delegation signer) record to crash the victim.

The Internet Systems Consortium has issued fixes here. ®