The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts:

The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org. The third column is a short description of the vulnerability, linked (where possible) to the article in this Knowledgebase on the vulnerability.

The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top. If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it. If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

For example, if you use the top table to look up CVE-2017-3140, you will see that it cross references to #88. You can look for column #88 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.11.1 you would know to upgrade.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

Vulnerability information for EOL (End of Life) versions of BIND 9 (9.0 through 9.10) and below are included only for vulnerabilities discovered before (or in some cases shortly after) the EOL date. These versions are all known to be affected by some vulnerabilities discovered after their EOL date.

Using obsolete versions of BIND 9.1, 9.2, 9.3, 9.4/9.4‑ESV, 9.5, 9.6/9.6‑ESV, 9.7, 9.8, 9.9, 9.9‑S, 9.10, 9.10‑S, 9.12, 9.13, We recommend that you not use obsolete versions of any ISC software; it was updated for a reason. Listings of vulnerabilities affecting obsolete versions of BIND have been split into articles grouped by branch: 9.0 9.14 , and 9.15

Listing of Vulnerabilities affecting current branches of BIND

Why don't the reference numbers begin at 1? Our reference numbering started with BIND 8. We have since separated the information for BIND 8 and also obsolete branches of BIND 9. To reduce the possibility of confusion when referring to the individual pages we have chosen to maintain uniform numbering across all of them matching the historic numbering, including gaps where some reports affected only BIND 8. As major branches of BIND have reached EOL (End of Life), the lowest numbered vulnerability affecting our current versions has increased. Issues only affecting obsolete branches of BIND have been moved to a separate section later in this KB.

BIND 9.17

BIND 9.17 is the current development branch of BIND.

BIND 9.16

BIND 9.11

BIND 9.11 Supported Preview edition

If you'd like more information on our product support or about our BIND Subscription version, please visit https://www.isc.org/bind.