The vulnerability is critical as an attackers can bring down huge swaths of the Internet. The vulnerability resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet that's
Normally, denial-of-service bugs receive low-severity ratings, but when they're present in servers that form the Internet's very core, the risks are much higher. Lead investigator Michael McNally from the Internet Systems Consortium (ISC) said in a security advisory the bug, CVE-2015-5477, is a critical issue which can allow hijackers to send malicious packets to knock out email systems, websites and other online services.
The advisory says the bug, awarded a CVSS score of 7.8, could impact on large swathes of the internet and is caused by "an error in the handling of [transaction key records] TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit."
BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my "masscan" tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn't mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.