Preface: BIND is the most commonly used DNS software on the Internet today. DNS servers that use BIND as server software account for about 90% of all DNS servers. BIND is now developed and maintained by the ISC(Internet Systems Consortium).
Background: The ISC BIND server contained the vulnerable code within the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) component, but ISC did not merge the patch at that time. After 15 years, ISC patched the bug in BIND and assigned it CVE-2020-8625. However, A second new vulnerability was happend in “BIND” again. It is CVE-2021-25216.
Vulnerability details: This vulnerability situation is very complicated. Please refer to the official announcement – https://kb.isc.org/docs/cve-2021-25216
Ref: GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is an extension to the TSIG DNS authentication protocol for secure key exchange. It is a GSS-API algorithm which uses Kerberos for passing security tokens to provide authentication, integrity and confidentiality.
GSS-TSIG uses TKEY records for key exchange between the DNS client and server in GSS-TSIG mode. For authentication between the DNS client and Active Directory.