Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the 'rndc" server control utility).
This assertion occurs before authentication but after network-address-based access controls have been applied. Or in other words: an attacker does not need to have a key or other authentication, but does need to be within the address list specified in the "controls" statement in named.conf which enables the control channel. If no "controls" statement is present in named.conf, named still defaults to listening for control channel information on loopback addresses (127.0.0.1 and ::1) if the file rndc.key is present in the configuration directory and contains a valid key.
A search for similar problems revealed an associated defect in the rndc server control utility whereby a malformed response from the server could cause the rndc program to crash. For completeness, it is being fixed at the same time even though this defect in the rndc utility is not in itself exploitable.
An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c.