ISC has published Update 9.8.0-P1 for its BIND DNS server to close a potential denial of service (DoS) hole. Signed server replies (RRSIG) can cause a BIND server to crash under certain circumstances. ISC says that the vulnerability only occurs, however, if the vulnerable server supports response policy zones (RPZs).
RPZs define which domain names are not to be resolved; the definitions can, for instance, be taken from a reputation database. First implemented in BIND 9.8.0, RPZ is designed to combat the thousands of spam and malware domains registered daily.

The link for this article located at H Security is no longer available.