To our users --
Yesterday we issued new release versions of BIND (9.11.28, 9.16.12,
and 9.17.10, plus versions 9.11.28-S1 and 9.16.12-S1 of BIND
Supported Preview Edition for eligible support customers.)
Unfortunately an issue affecting an extension to the serve-stale
functionality in the 9.16.12, 9.17.10, and 9.16.12-S1 releases was
not discovered until after the new versions had been published.
The following Operational Notification explains the issue.
ONLY operators who are using serve-stale with one of the three
BIND versions listed above are at any risk from the defect, and for
those customers a choice of several effective configuration
workarounds can be found in the "Workarounds" section of the
notification. One of the workaround choices disables serve-stale;
another reverts the feature to its previous behavior (i.e.: the same
way it worked in releases containing the serve-stale feature
prior to the ones just issued.)
We regret that our error requires operators using serve-stale
with an affected version of BIND to add the workarounds to their
configuration in order to avoid hitting the defect, but because
the workarounds are effective we are not at this time planning
to issue emergency replacement versions of BIND. The flaw in the
revised feature will be fixed in the March 2021 maintenance
releases, expected on 17 March.
That said, we expect that we will have a patch diff tested and
available sooner than that for operators who for whatever reason
prefer not to use any of the workarounds but still require the use
of serve-stale. If you require a patch diff, please request one
by e-mail to security-offi...@isc.org
Michael McNally
ISC Security Officer
-----
Operational Notification: Enabling the new BIND option
"stale-answer-client-timeout" can result in unexpected server termination
Posting date: 18 February 2021
Program impacted: BIND
Versions affected: BIND 9.16.12, BIND 9.16.12-S1 (Supported Preview Edition)
and version 9.17.10 of the 9.17 development branch.
Description:
The serve-stale feature (available in BIND 9.11-S, 9.16 and 9.17
branches) has been undergoing some enhancement to bring it into
conformance with RFC 8767. As part of this work, in the BIND
February 2021 maintenance releases, we added a new feature:
'stale-answer-client-timeout' with a default value of 1800
milliseconds. BIND servers that have enabled the returning of
stale cached answers (i.e. those that have set "stale-answer-enable yes;"
in named.conf or where serve-stale features have been enabled
during runtime using "rndc serve-stale on") may experience an
unexpected server termination (crash) if stale-answer-client-timeout
is applied to a client query that is being processed.
Impact:
The named process may terminate unexpectedly with an assertion
failure in the procedure ns_query_recurse() in query.c.
Workarounds:
There are three workarounds; if affected by this problem you can
choose the one most suited to your needs:
1) Disable stale answers:
stale-answer-enable no;
2) Enable stale answers, but use stale-answer-client-timeout to
indicate a preference for serving stale content before attempting
to refresh it:
stale-answer-client-timeout 0;
3) Enable stale answers but disable the stale-answer-client-timeout
(named will not search for a stale answer until an attempt to
refresh the data has failed):
stale-answer-client-timeout off;
Solution:
Code changes which fix the broken behavior are planned for the
March 2021 maintenance releases (due 17 March 2021) but until
then the measures suggested in the "Workarounds" section are the
best solution for server operators using the affected
stale-answer-enable setting.
Note:
BIND 9.11.28-S1 is unaffected by this problem
Although the serve-stale feature is present in BIND 9.11 Supported
Preview Edition, we had not yet back-ported the new
'stale-answer-client-timeout' option when this problem was
uncovered.
Do you still have questions? Questions regarding this advisory
should go to security-offi...@isc.org. To report a new issue, please
encrypt your message using security-offi...@isc.org's PGP key which
can be found here: https://www.isc.org/pgpkey/. If you are unable
to use encrypted email, you may also report new issues at:
https://www.isc.org/reportbug/.
Note:
ISC patches only currently supported versions. When possible we indicate EOL versions
affected. (For current information on which versions are actively supported, please see
https://www.isc.org/download/.)
This Knowledgebase article, found at
https://kb.isc.org/v1/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination
is the complete and official operational notification document.
Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
_______________________________________________
bind-announce mailing list
bind-announce@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce
