Aram Sargsyan

**Name of the Vulnerable Software and Affected Versions** BIND 9 versions 9.0.0 through 9.11.37 BIND 9 versions 9.16.0 through 9.16.50 BIND 9 versions 9.18.0 through 9.18.27 BIND 9 versions 9.19.0 through 9.19.24 BIND 9 versions 9.9.3-S1 through 9.11.37-S1 BIND 9 versions 9.16.8-S1 through 9.16.49-S1 BIND 9 versions 9.18.11-S1 through 9.18.27-S1 **Description** A client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests if a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache. **Recommendations** For BIND 9 versions 9.0.0 through 9.11.37, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.16.0 through 9.16.50, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.18.0 through 9.18.27, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.19.0 through 9.19.24, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.9.3-S1 through 9.11.37-S1, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.16.8-S1 through 9.16.49-S1, update to a version outside of this range to resolve the issue. For BIND 9 versions 9.18.11-S1 through 9.18.27-S1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of SIG(0) signed requests to minimize the risk of exploitation.