Numerous defects have been found in the BIND 9.10 implementation of Response Policy Zones (RPZ) which can lead to a crash of the named process.
Posting date: 10 Jun 2015
9.10.0 through 9.10.2 (inclusive)
The defect also affects the BIND 9 Subscription Edition, which is only available to ISC BIND Support customers; versions 9.9.3-S1 through 9.9.7-S1 (inclusive) are affected.
ISC has received multiple reports of named crashes related to handling of Response Policy Zones (RPZ) in BIND 9.10 including (but not limited to) reports from operators who are using the Spamhaus RPZ feed.
Our developers have analyzed the reported crashes (which are in the form of assertion failures, i.e., a controlled shutdown), and they have identified multiple defects in the handling of Response Policy Zones which are addressed by new patches. These patches are being made available in coordination with this notification.
The most commonly-encountered crash happens when all of the following occur on a server with one or more slave RPZs:
- A slave RPZ zone transfer (IXFR) is initiated; and
- The transfer fails for any reason, and named falls back to AXFR.
Only servers with RPZs are affected, most critically those with one or more slave RPZs.
The only safe workaround would be to convert all "type slave" RPZs to "type master", and then to retrieve zone updates out-of-band. This would avoid the more likely crashes, but the problems in the RPZ code would still exist, and could be manifested in unanticipated ways.
Solution: Upgrade to the patched BIND 9.10.2-P1 release, provided with this Notification. ISC BIND Subscription customers will want to upgrade to 9.9.7-S3, which was released on 2015-06-11.
Acknowledgements: ISC would like to thank the several reporters for reporting this issue; with special mention of our friends at the Spamhaus Project for their kind assistance in troubleshooting.
Do you still have questions? Questions regarding this advisory should go to email@example.com
Note: ISC patches only currently supported versions: http://www.isc.org/software/bind/versions. In this case the EOL versions were not affected.
ISC Disclosure Policies: Additional information on our Operational Notifications can be found at: https://www.isc.org/software/notifications, and Phased Disclosure Process at: https://www.isc.org/security-vulnerability-disclosure-policy
This Knowledge Base article https://kb.isc.org/article/AA-01265
is the complete and official operational notification document.
Systems Consortium (ISC) is providing this notice on an "AS IS" basis.
No warranty or guarantee of any kind is expressed in this notice and
none should be implied. ISC expressly excludes and disclaims any
warranties regarding this notice or materials referred to in this
notice, including, without limitation, any implied warranty of
merchantability, fitness for a particular purpose, absence of hidden
defects, or of non-infringement. Your use or reliance on this notice or
materials referred to in this notice is at your own risk. ISC may change
this notice at any time. A stand-alone copy or paraphrase of the text
of this document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of date, or
contain factual errors.
© 2001-2017 Internet Systems ConsortiumFor assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.