named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c. (CVE-2016-1286)
Impact
An attacker may force the system to look up a malicious server that is serving bad RRSIGs and may cause the BIND service to restart.
Note: Typically, a BIND service restart does not cause the affected system to fail over.
BIG-IP
Although BIG-IP software contains the vulnerable code, the BIG-IP system does not use the vulnerable code in a way that exposes the vulnerability in the default configuration. The BIG-IP system must meet both of the following conditions to be considered vulnerable:
For example:
* A virtual server with a DNS profile is configured with the **Use BIND Server on BIG-IP** option (this option is enabled by default for the DNS profile).
* A DNS/GTM pool uses the **Return to DNS** load balancing method, or its**Alternate **and**Fallback **load balancing methods are set to**None,** and all pools associated with the wide IP are unavailable.
BIG-IQ and Enterprise Manager
BIG-IQ and Enterprise Manager systems are not vulnerable in the default standard configurations. This vulnerability can be exposed only when the BIG-IQ or Enterprise Manager system is manually configured to enable recursion explicitly and act as a DNS server to query against a server that is providing malicious responses. F5 recommends that you do not configure the system so that you use the BIG-IQ or Enterprise Manager system as a DNS server.
ARX, FirePass, LineRate, F5 WebSafe, and Traffix SDC
There is no impact. These F5 products are not vulnerable to these vulnerabilities.