QID 357286

the dns message parsing code in `named` includes a section whose computational complexity is overly high.
It does not cause problems for typical dns traffic, but crafted queries and responses may cause excessive cpu load on the affected `named` instance by exploiting this flaw.
This issue affects both authoritative servers and recursive resolvers. this issue affects bind 9 versions 9.0.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.9.3-s1 through 9.11.37-s1, 9.16.8-s1 through 9.16.45-s1, and 9.18.11-s1 through 9.18.21-s1. (
( CVE-2023-4408) certain dnssec aspects of the dns protocol (in rfc 4035 and related rfcs) allow remote attackers to cause a denial of service (cpu consumption) via one or more dnssec responses when there is a zone with many dnskey and rrsig records, aka the "keytrap" issue.
The protocol specification implies that an algorithm must evaluate all combinations of dnskey and rrsig records. (
( CVE-2023-50387) the closest encloser proof aspect of the dns protocol (in rfc 5155 when rfc 9276 guidance is skipped) allows remote attackers to cause a denial of service (cpu consumption for sha-1 computations) via dnssec responses in a random subdomain attack, aka the "nsec3" issue.
The rfc 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. (
( CVE-2023-5679) to keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.