Dynamic DNS with Bind Stopped Working

In 2021 I set up a dynamic DNS server using the popular ISC bind DNS server and documented my configuration in a blog article [1].

Recently (around the second half of the year 2024) the DNS updates stopped working. In my configurations I was using the public key method for signing DNS updates also known as SIG(0). This was long supported in bind and is still documented to work – in the latest version.

All DNS update requests were suddenly denied with a REFUSED status. Even turning on debugging with the -d 15 option to named I was not able to get any further information, not even when logging to standard output with -g.

It turns out that the public key signatures using SIG(0) have been disabled due to a denial of service attack vector documented in CVE-2024-1975. DNS updates with shared TSIG keys still work. Unfortunately this seemed not documented and no appropriate log messages are seen. I've made a bug report for bind.

As it turns out I would have to look at the documentation for the version 9.18 shipped with Debian stable aka bookworm at the time of this writing: It documents that SIG(0) has been removed due to CVE-2024-1975.

It looks like later versions of bind (e.g. version 9.20.6 and up) again support SIG(0) but with a quota mechanism to prevent a denial of service attack. But for prior versions it seems that the "fix" involves completely disabling SIG(0).