Source: bind9
Version: 1:9.10.3.dfsg.P4-11
Severity: grave
bind9 uses /dev/random unconditionally without the possibility to change
that in the configuration. It uses it for example in dnssec-keygen or
during dnssec key operations in named. /dev/random can and will block
at random times. If this happens in named, the whole daemon will cease
to answer any requests. In my tests this always happens with ECDSA key
operations, which needs randomness. This is effectively a DoS.
Bastian
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)