A minor bugfix added to BIND 9.9.6, 9.8.8 and 9.10.0 introduced a regression that makes the nsupdate(8) utility fail to resolve (and thus fail to send updates to) the SOA MNAME host in some cases. (The MNAME or master name is the first text value in a zone's SOA record; by default that is the host to which nsupdate will send updates for that zone.)
This occurs when all of these conditions exist
- SOA MNAME server name is in a different zone (not in the zone being updated)
- SOA MNAME server is not authoritative for that other zone
- SOA MNAME server refuses recursive queries from the nsupdate client
What happens: nsupdate queries the SOA MNAME server for its own name. If it gets no answer or the answer is "REFUSED", nsupdate falls back to the server from which it obtained the SOA query response (this is typically the nameserver listed in resolv.conf(5).)
This regression still exists in BIND 9.9.6-P1 and 9.10.1-P1, but it was not considered important enough to stop the releases thereof. It will be addressed in BIND 9.9.7, 9.10.2 and future versions. BIND 9.8 is EOL and will not be fixed.
Workarounds are possible:
- Continue using current versions of BIND, but revert to an older copy of nsupdate from BIND 9.9.5 or 9.8.7 as appropriate (nsupdate is not affected by CVE-2014-8500)
- Specify a "server" argument in nsupdate input
- Run nsupdate on the SOA MNAME host in local-host only mode using the -l flag
If none of the workarounds are adequate, the patches attached to this article (see below) can be applied against the BIND-9.9.6-P1 or 9.10.1-P1 source code.
© 2001-2016 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting us know below how we can improve this article. If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback. For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.