Operational Notification: RPZ crashes (BIND 9.10)
Summary:
Numerous defects have been found in the BIND 9.10
implementation of Response Policy Zones (RPZ) which can lead to
a crash of the named process.
Posting date: 10 Jun 2015
Program Impacted: BIND
Versions affected:
9.10.0 through 9.10.2 (inclusive)
The defect also affects the BIND 9 Subscription Edition, which
is only available to ISC BIND Support customers; versions
9.9.3-S1 through 9.9.7-S1 (inclusive) are affected.
Description:
ISC has received multiple reports of named crashes related to handling
of Response Policy Zones (RPZ) in BIND 9.10 including (but not limited
to) reports from operators who are using the Spamhaus RPZ feed.
Our developers have analyzed the reported crashes (which are in the form
of assertion failures, i.e., a controlled shutdown), and they have
identified multiple defects in the handling of Response Policy Zones
which are addressed by new patches. These patches are being made
available in coordination with this notification.
The most commonly-encountered crash happens when all of the following
occur on a server with one or more slave RPZs:
* A slave RPZ zone transfer (IXFR) is initiated; and
* The transfer fails for any reason, and named falls back to AXFR.
Impact:
Only servers with RPZs are affected, most critically those with
one or more slave RPZs.
Workarounds:
The only safe workaround would be to convert all "type slave"
RPZs to "type master", and then to retrieve zone updates
out-of-band. This would avoid the more likely crashes, but the
problems in the RPZ code would still exist, and could be
manifested in unanticipated ways.
Solution:
Upgrade to the patched BIND 9.10.2-P1 release, provided with
this Notification. ISC BIND Subscription customers will want
to upgrade to 9.9.7-S3, which is expected to be released by
2015-06-12. (This Notification will be updated after the
release.)
Acknowledgements:
ISC would like to thank the several reporters for reporting
this issue; with special mention of our friends at the Spamhaus
Project for their kind assistance in troubleshooting.
Do you still have questions?
Questions regarding this advisory should go to supp...@isc.org
Note: ISC patches only currently supported versions:
http://www.isc.org/software/bind/versions.
In this case the EOL versions were not affected.
ISC Disclosure Policies:
Additional information on our Operational Notifications can be
found at: https://www.isc.org/software/notifications, and
Phased Disclosure Process at:
https://www.isc.org/security-vulnerability-disclosure-policy
The Knowledge Base article https://kb.isc.org/article/AA-01265 is the
complete and official operational notification document.
--
Chuck Aurora : ISC Software Support : chu...@isc.org
Internet Systems Consortium, Inc.
_______________________________________________
bind-announce mailing list
bind-announce@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce
