CVE-2026-3119 Overview
A denial of service vulnerability exists in ISC BIND 9 DNS server where named may crash when processing a correctly signed query containing a TKEY record. The vulnerable code path can only be reached when an incoming request has a valid transaction signature (TSIG) from a key declared in the named configuration. This vulnerability could allow an authenticated attacker with access to a valid TSIG key to cause service disruption on affected DNS infrastructure.
Critical Impact
Authenticated attackers with valid TSIG credentials can crash DNS servers by sending malformed TKEY queries, leading to service disruption.
Affected Products
- BIND 9 versions 9.20.0 through 9.20.20
- BIND 9 versions 9.21.0 through 9.21.19
- BIND 9 versions 9.20.9-S1 through 9.20.20-S1
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-3119 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-3119
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the application contains an assertion that can be triggered by user input. When named receives a specially crafted query containing a TKEY record with a valid TSIG signature, it reaches a code path that causes the daemon to crash unexpectedly.
The attack requires network access and low privileges since the attacker must possess a valid TSIG key configured in the target named instance. The vulnerability results in high availability impact as it allows attackers to completely disrupt DNS resolution services. Notably, there is no impact to confidentiality or integrity of data.
Root Cause
The root cause is a reachable assertion in the TKEY record processing code. When BIND 9 processes signed queries containing TKEY records under specific conditions, an assertion failure occurs that terminates the named process. The assertion was designed to catch unexpected states during development but can be triggered through legitimate protocol interactions by authenticated users.
Attack Vector
The attack requires network connectivity to the target DNS server and possession of a valid TSIG key that is configured in the named configuration. An attacker would craft a DNS query containing a TKEY record and sign it with the valid TSIG credentials. Upon processing this request, the vulnerable assertion is triggered, causing the named daemon to crash.
This is particularly concerning in environments where TSIG keys are shared with multiple parties for dynamic DNS updates or zone transfers, as any party with key access could potentially trigger this vulnerability.
Detection Methods for CVE-2026-3119
Indicators of Compromise
- Unexpected named process terminations or restarts in system logs
- Assertion failure messages in BIND logs referencing TKEY processing
- Increased frequency of DNS service interruptions correlated with TKEY query activity
- Log entries showing signed queries containing TKEY records immediately before crashes
Detection Strategies
- Monitor named logs for assertion failure messages and unexpected terminations
- Implement DNS query logging to identify unusual TKEY record requests
- Configure process monitoring to alert on named crashes and automatic restarts
- Review TSIG key usage patterns for anomalous authenticated query activity
Monitoring Recommendations
- Enable BIND query logging with category queries and query-errors for forensic analysis
- Set up automated alerts for named process state changes using systemd or process supervisors
- Monitor DNS availability through synthetic health checks from multiple vantage points
- Implement log aggregation to correlate TKEY queries with service disruption events
How to Mitigate CVE-2026-3119
Immediate Actions Required
- Upgrade to BIND 9.20.21 or BIND 9.21.20 immediately to address this vulnerability
- Review and audit all TSIG keys configured in named.conf to minimize exposure
- Restrict network access to DNS servers where possible using firewall rules
- Implement rate limiting for authenticated DNS queries as a defense-in-depth measure
Patch Information
ISC has released patched versions to address this vulnerability. Organizations should upgrade to the following fixed versions:
- BIND 9.20.21 - For the 9.20.x branch
- BIND 9.21.20 - For the 9.21.x branch
For detailed technical information about this vulnerability, refer to the ISC Knowledge Base article for CVE-2026-3119.
Note that BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected by this vulnerability.
Workarounds
- Limit TSIG key distribution to only essential trusted parties requiring DNS update or transfer capabilities
- Implement network segmentation to restrict access to DNS servers from untrusted networks
- Consider deploying redundant DNS infrastructure to maintain service availability during potential attacks
- Enable BIND's minimal responses option to reduce attack surface where operationally feasible
# Configuration example
# Review and restrict TSIG key access in named.conf
# Ensure only essential keys are configured
key "update-key" {
algorithm hmac-sha256;
secret "your-secret-key";
};
# Restrict which clients can use this key
acl "trusted-updaters" {
192.168.1.0/24;
10.0.0.0/8;
};
zone "example.com" {
type master;
file "example.com.zone";
allow-update { key "update-key"; !{ !trusted-updaters; any; }; };
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
