A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off.
A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off.
https://kb.isc.org/article/AA-01606/74/CVE-2018-5737
Workaround: Setting "max-stale-ttl 0;" in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.) Setting "stale-answer enable off;" is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero.