[DNSfirewalls] Fwd: Operational Notification: RPZ crashes (BIND 9.10)

Paul Vixie paul at redbarn.org
Wed Jun 10 23:47:58 UTC 2015 

andrew fried provided both the first report i saw about this, and a lot
of debugging aid to ISC, to get these patches made. buy him a beer if
you see him.

re:

-------- Original Message --------
Subject: 	Operational Notification: RPZ crashes (BIND 9.10)
Date: 	Wed, 10 Jun 2015 14:56:58 -0500
From: 	Chuck Aurora <chucka at isc.org>
Organization: 	Internet Systems Consortium, Inc.
To: 	bind-announce at lists.isc.org



Operational Notification: RPZ crashes (BIND 9.10)


Summary:

	Numerous defects have been found in the BIND 9.10
	implementation of Response Policy Zones (RPZ) which can lead to
	a crash of the named process.

Posting date:		10 Jun 2015

Program Impacted:	BIND

Versions affected:

	9.10.0 through 9.10.2 (inclusive)
	The defect also affects the BIND 9 Subscription Edition, which
	is only available to ISC BIND Support customers; versions
	9.9.3-S1 through 9.9.7-S1 (inclusive) are affected.

Description:

ISC has received multiple reports of named crashes related to handling
of Response Policy Zones (RPZ) in BIND 9.10 including (but not limited
to) reports from operators who are using the Spamhaus RPZ feed.

Our developers have analyzed the reported crashes (which are in the form
of assertion failures, i.e., a controlled shutdown), and they have
identified multiple defects in the handling of Response Policy Zones
which are addressed by new patches.  These patches are being made
available in coordination with this notification.

The most commonly-encountered crash happens when all of the following
occur on a server with one or more slave RPZs:

*   A slave RPZ zone transfer (IXFR) is initiated; and
*   The transfer fails for any reason, and named falls back to AXFR.

Impact:

	Only servers with RPZs are affected, most critically those with
	one or more slave RPZs.

Workarounds:

	The only safe workaround would be to convert all "type slave"
	RPZs to "type master", and then to retrieve zone updates
	out-of-band.  This would avoid the more likely crashes, but the
	problems in the RPZ code would still exist, and could be
	manifested in unanticipated ways.

Solution:

	Upgrade to the patched BIND 9.10.2-P1 release, provided with
	this Notification.  ISC BIND Subscription customers will want
	to upgrade to 9.9.7-S3, which is expected to be released by
	2015-06-12.  (This Notification will be updated after the
	release.)

Acknowledgements:

	ISC would like to thank the several reporters for reporting
	this issue; with special mention of our friends at the Spamhaus
	Project for their kind assistance in troubleshooting.

Do you still have questions?

	Questions regarding this advisory should go to support at isc.org

Note: ISC patches only currently supported versions:
	http://www.isc.org/software/bind/versions.
In this case the EOL versions were not affected.

ISC Disclosure Policies:

	Additional information on our Operational Notifications can be
	found at: https://www.isc.org/software/notifications, and
	Phased Disclosure Process at:
	https://www.isc.org/security-vulnerability-disclosure-policy

The Knowledge Base article https://kb.isc.org/article/AA-01265 is the
complete and official operational notification document.
-- 
    Chuck Aurora : ISC Software Support : chucka at isc.org
    Internet Systems Consortium, Inc.
_______________________________________________
bind-announce mailing list
bind-announce at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce

More information about the DNSfirewalls mailing list