As discussed upstream, parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key. Also disclosed upstream today was CVE-2015-5986 which does not impact the version of bind in the Amazon Linux AMI.