[DNSfirewalls] Fwd: Operational Notification: RPZ crashes (BIND 9.10)
paul at redbarn.org
Wed Jun 10 23:47:58 UTC 2015
andrew fried provided both the first report i saw about this, and a lot
of debugging aid to ISC, to get these patches made. buy him a beer if
you see him.
-------- Original Message --------
Subject: Operational Notification: RPZ crashes (BIND 9.10)
Date: Wed, 10 Jun 2015 14:56:58 -0500
From: Chuck Aurora <chucka at isc.org>
Organization: Internet Systems Consortium, Inc.
To: bind-announce at lists.isc.org
Operational Notification: RPZ crashes (BIND 9.10)
Numerous defects have been found in the BIND 9.10
implementation of Response Policy Zones (RPZ) which can lead to
a crash of the named process.
Posting date: 10 Jun 2015
Program Impacted: BIND
9.10.0 through 9.10.2 (inclusive)
The defect also affects the BIND 9 Subscription Edition, which
is only available to ISC BIND Support customers; versions
9.9.3-S1 through 9.9.7-S1 (inclusive) are affected.
ISC has received multiple reports of named crashes related to handling
of Response Policy Zones (RPZ) in BIND 9.10 including (but not limited
to) reports from operators who are using the Spamhaus RPZ feed.
Our developers have analyzed the reported crashes (which are in the form
of assertion failures, i.e., a controlled shutdown), and they have
identified multiple defects in the handling of Response Policy Zones
which are addressed by new patches. These patches are being made
available in coordination with this notification.
The most commonly-encountered crash happens when all of the following
occur on a server with one or more slave RPZs:
* A slave RPZ zone transfer (IXFR) is initiated; and
* The transfer fails for any reason, and named falls back to AXFR.
Only servers with RPZs are affected, most critically those with
one or more slave RPZs.
The only safe workaround would be to convert all "type slave"
RPZs to "type master", and then to retrieve zone updates
out-of-band. This would avoid the more likely crashes, but the
problems in the RPZ code would still exist, and could be
manifested in unanticipated ways.
Upgrade to the patched BIND 9.10.2-P1 release, provided with
this Notification. ISC BIND Subscription customers will want
to upgrade to 9.9.7-S3, which is expected to be released by
2015-06-12. (This Notification will be updated after the
ISC would like to thank the several reporters for reporting
this issue; with special mention of our friends at the Spamhaus
Project for their kind assistance in troubleshooting.
Do you still have questions?
Questions regarding this advisory should go to support at isc.org
Note: ISC patches only currently supported versions:
In this case the EOL versions were not affected.
ISC Disclosure Policies:
Additional information on our Operational Notifications can be
found at: https://www.isc.org/software/notifications, and
Phased Disclosure Process at:
The Knowledge Base article https://kb.isc.org/article/AA-01265 is the
complete and official operational notification document.
Chuck Aurora : ISC Software Support : chucka at isc.org
Internet Systems Consortium, Inc.
bind-announce mailing list
bind-announce at lists.isc.org
More information about the DNSfirewalls