Operational Notification: BIND 9.11.0 and 9.11.1 carries a number of integration problems with LMDB (liblmdb) that will be addressed in BIND 9.11.2.
Posting date: 14 Jun 2017 Program Impacted: BIND Versions affected: BIND 9.11.0 -> 9.11.1.Px (all versions of BIND 9.11.0 and 9.11.1) Description: ISC will be releasing BIND 9.11.2 in July/August 2017 which will address integration issues with BIND's use of LMDB in BIND 9.11.0 and 9.11.1. Until then, our recommendation is that LMDB be disabled. Use of LMDB for the 'New Zone Database" (NZD) is a new feature in BIND 9.11, introduced in order to provide significant performance improvements during dynamic zone handling. It is enabled by default when building BIND on a system that has liblmdb installed and some packagers of BIND 9.11 include this feature (along with the liblmdb dependency) in their distribution. Impact: Problems that may be encountered on servers with LMDB enabled and "allow-new-zones yes;" include: - Some new zones fail to persist following a restart, reload or reconfig - Zone deletions are incomplete leading to anomalies on restart and/or when re-adding zones - On a server that is started with the -u option, Issuing the commands "rndc reload" or "rndc reconfig" may result in named terminating unexpectedly - A deadlock (hang) of named sometimes occurs during concurrent dynamic zone operations Workarounds: - If building BIND 9.11 in an environment with liblmdb available, ensure that the integration is explicitly disabled by building BIND with the configure option --without-lmdb. - There are no run time options available to disable lmdb integration, therefore if you are running a pre-built (package) version of BIND 9.11.0 or 9.11.2 that provides LMDB integration along with installing liblmdb as a dependent package, we recommend contacting your provider to request an update. Solution: BIND 9.11.2 will be published in July/August 2017. At that time it will become available for download from http://www.isc.org/downloads/all. Do you still have questions? Questions regarding this advisory should go to security-offi...@isc.org. To report a new issue, please encrypt your message using security-offi...@isc.org's PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/). ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861 This Knowledge Base article https://kb.isc.org/article/AA-01497 is the complete and official operational notification document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors. (C) 2017 Internet Systems Consortium _______________________________________________ bind-announce mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-announce