CVE-2024-1737: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-1737 affects BIND 9, where resolver caches and authoritative zone databases containing significant numbers of Resource Records (RRs) for the same hostname can experience degraded performance during content addition, updates, and when handling client queries. This vulnerability impacts BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, and various BIND Supported Preview Edition versions (ISC Advisory).

The vulnerability occurs when processing queries for hostnames with a large number of resource records, which can cause performance degradation by a factor of 100. The issue affects both resolver caches and authoritative zone databases, impacting their performance during content manipulation and query handling. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (ISC Advisory, Red Hat).

The primary impact of this vulnerability is on system availability, where processing of DNS queries may be significantly slowed down, potentially leading to denial of service conditions. The performance degradation can affect both resolver operations and authoritative server responses, causing substantial delays in DNS resolution services (Red Hat, ISC Advisory).

The primary mitigation is to upgrade to patched versions: BIND 9.18.28, 9.20.0, or BIND Supported Preview Edition 9.18.28-S1. Two new configuration statements have been introduced as part of the fix: 'max-records-per-type' and 'max-types-per-name', both defaulting to 100, which help prevent the loading of zones containing excessive RRsets (ISC Advisory, ISC RRset Limits).

The vulnerability has prompted significant attention from major Linux distributions, with Ubuntu, Red Hat, and Debian all releasing security updates to address the issue. Notable discussion arose regarding the BIND 9.18 series fix, where some community members expressed concern about the complete removal of SIG(0) dynamic DNS update support as part of the mitigation strategy (OSS Security).