BIND servers which are configured to perform DNSSEC validation and which are using managed-keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate with an assertion failure when encountering all of the following conditions in a managed trust anchor:
a key which was previously trusted is now flagged as revoked;
there are no other trusted keys available;
there is a standby key, but it is not trusted yet
This situation results in termination of the named process and denial of service to clients, and can occur in two circumstances:
during an improperly-managed key rollover for one of the managed trust anchors (e.g., during a botched root key rollover), or
when deliberately triggered by an attacker, under specific and limited circumstances. ISC has demonstrated a proof-of-concept of this attack; however, the complexity of the attack is very high unless the attacker has a specific network relationship to the BIND server which is targeted
Seems like net-dns/bind is pretty much unmaintained... Gentoo has only these vulberable versions in tree since weeks now :-/
@idl0r: Ping? Are you too busy? Or not interested in net-dns/bind anymore?
named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before
9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled,
allows remote attackers to cause a denial of service (assertion failure and
daemon exit, or daemon crash) by triggering an incorrect trust-anchor
management scenario in which no key is ready for use.
This issue was resolved and addressed in
GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).